CVE-2023-53599
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's crypto subsystem affects the af_alg interface when processing empty ciphertext with the gcm-aes-s390 driver. This causes a kernel oops (crash) on s390x systems, potentially leading to denial of service. Only Linux systems using the affected crypto driver on s390 architecture are impacted.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, requiring physical or remote console access to reboot.
Likely Case
System crash when processing specific malformed or empty cryptographic data through the affected interface.
If Mitigated
No impact if the vulnerable crypto driver is not loaded or not used.
🎯 Exploit Status
Requires local access and ability to interact with crypto APIs. No known public exploits.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in kernel commits 2c9d205040d7c0eaccc473917f9b0bb0a923e440 and 6a4b8aa0a916b39a39175584c07222434fa6c6ef
Vendor Advisory: https://git.kernel.org/stable/c/2c9d205040d7c0eaccc473917f9b0bb0a923e440
Restart Required: Yes
Instructions:
1. Update kernel to version containing the fix. 2. Check distribution-specific security advisories. 3. Reboot system to load patched kernel.
🔧 Temporary Workarounds
Unload vulnerable module
linuxPrevent loading of the gcm-aes-s390 crypto module
rmmod aes_s390
echo 'blacklist aes_s390' >> /etc/modprobe.d/blacklist.conf
Restrict AF_ALG socket access
linuxLimit which users can access the crypto socket interface
chmod 600 /dev/crypto
setfacl -m u:root:rw- /dev/crypto
🧯 If You Can't Patch
- Restrict local user access to prevent malicious users from triggering the vulnerability
- Monitor system logs for kernel oops messages related to gcm-aes-s390 or AF_ALG
🔍 How to Verify
Check if Vulnerable:
Check if running on s390x and if aes_s390 module is loaded: 'uname -m' and 'lsmod | grep aes_s390'Check Version:
uname -rVerify Fix Applied:
Check kernel version includes the fix commits or is newer than vulnerable versions📡 Detection & Monitoring
Log Indicators:
- Kernel oops messages mentioning gcm_walk_start, aes_s390, or AF_ALG
- System crash/panic logs
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
source="kernel" AND ("gcm_walk_start" OR "aes_s390" OR "AF_ALG" OR "NULL pointer dereference")