CVE-2023-0494
📋 TL;DR
This CVE-2023-0494 vulnerability in X.Org allows attackers to exploit a dangling pointer in DeepCopyPointerClasses via ProcXkbSetDeviceInfo() and ProcXkbGetDeviceInfo() functions. This can lead to local privilege escalation on systems with privileged X servers and remote code execution in SSH X forwarding sessions. Systems running X.Org server with XKB extension enabled are affected.
💻 Affected Systems
- X.Org X Server
📦 What is this software?
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Big Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Big Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Scientific Computing by Redhat
View all CVEs affecting Enterprise Linux For Scientific Computing →
Enterprise Linux Server Update Services For Sap Solutions by Redhat
View all CVEs affecting Enterprise Linux Server Update Services For Sap Solutions →
Enterprise Linux Server Workstation by Redhat
View all CVEs affecting Enterprise Linux Server Workstation →
Fedora by Fedoraproject
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via remote code execution through SSH X forwarding, allowing attackers to execute arbitrary code with X server privileges.
Likely Case
Local privilege escalation on multi-user systems where attackers can gain elevated privileges by exploiting the X server running with higher permissions.
If Mitigated
Limited impact on systems with X server running unprivileged or with XKB extension disabled.
🎯 Exploit Status
Exploitation requires access to X server connection, either locally or via SSH X forwarding. No public exploit code has been confirmed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: X.Org server with commit 0ba6d8c37071131a49790243cdac55392ecf71ec or later
Vendor Advisory: https://lists.x.org/archives/xorg-announce/2023-February/003320.html
Restart Required: Yes
Instructions:
1. Update X.Org server package from your distribution's repositories. 2. For Red Hat/CentOS/Fedora: 'sudo yum update xorg-x11-server'. 3. For Debian/Ubuntu: 'sudo apt update && sudo apt upgrade xserver-xorg-core'. 4. Restart X server or reboot system.
🔧 Temporary Workarounds
Disable XKB Extension
linuxDisable the X Keyboard extension to prevent exploitation of this vulnerability
Add 'Option "AutoAddDevices" "false"' to xorg.conf
Add 'Option "AllowEmptyInput" "false"' to xorg.conf
Run X Server Unprivileged
linuxRun X server with reduced privileges to limit impact of potential exploitation
Configure X server to run as non-root user where possible
🧯 If You Can't Patch
- Disable SSH X forwarding by setting 'X11Forwarding no' in sshd_config
- Implement network segmentation to isolate X server traffic and limit access
🔍 How to Verify
Check if Vulnerable:
Check X.Org server version: 'Xorg -version' and compare with patched versions from vendor advisoriesCheck Version:
Xorg -version 2>&1 | grep -i 'x.org'Verify Fix Applied:
Verify X.Org server version includes commit 0ba6d8c37071131a49790243cdac55392ecf71ec or check package version against distribution security advisories📡 Detection & Monitoring
Log Indicators:
- Unusual X server crashes or segmentation faults
- Suspicious XKB-related requests in X server logs
Network Indicators:
- Unusual SSH X forwarding connections
- Suspicious X protocol traffic patterns
SIEM Query:
source="xorg.log" AND ("segmentation fault" OR "XKB" OR "DeepCopyPointerClasses")🔗 References
- https://bugzilla.redhat.com/show_bug.cgi?id=2165995
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec
- https://lists.x.org/archives/xorg-announce/2023-February/003320.html
- https://security.gentoo.org/glsa/202305-30
- https://bugzilla.redhat.com/show_bug.cgi?id=2165995
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/0ba6d8c37071131a49790243cdac55392ecf71ec
- https://lists.x.org/archives/xorg-announce/2023-February/003320.html
- https://security.gentoo.org/glsa/202305-30
