CVE-2023-1672

Published: Jul 11, 2023Modified: Nov 21, 2024

5.3

Vector

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 1.6 / Impact: 3.6

Source: NVD

Description

A race condition exists in the Tang server functionality for key generation and key rotation. This flaw results in a small time window where Tang private keys become readable by other processes on the same host.

Affected (4)

Products: Tang Project: Tang · Fedoraproject: Fedora · Redhat: Enterprise Linux

1 product

1 product

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Tang Project Tang	Before 14

Configuration B

1 vulnerable

Vulnerable Software	Affected Versions
Fedoraproject Fedora	Version 38

Configuration C

2 vulnerable

Vulnerable Software	Affected Versions
Redhat Enterprise Linux	Version 8.0
Redhat Enterprise Linux	Version 9.0

Related CWEs

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

The product contains a code sequence that can run concurrently with other code, and the code sequence requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence that is operating concurrently.

References (10)

https://access.redhat.com/security/cve/CVE-2023-1672

Source: secalert@redhat.com

Third Party Advisory

https://bugzilla.redhat.com/show_bug.cgi?id=2180999

Source: secalert@redhat.com

Issue TrackingPatchThird Party Advisory

https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096

Source: secalert@redhat.com

Patch

https://lists.debian.org/debian-lts-announce/2023/11/msg00004.html

Source: secalert@redhat.com

https://www.openwall.com/lists/oss-security/2023/06/15/1

Source: secalert@redhat.com

ExploitMailing ListThird Party Advisory

https://access.redhat.com/security/cve/CVE-2023-1672