CVE-2023-6377
7.8 HIGH
📋 TL;DR
This vulnerability in xorg-server allows out-of-bounds memory reads and writes when querying or changing XKB button actions, such as switching from touchpad to mouse. It could enable local privilege escalation or remote code execution when X11 forwarding is used. Systems running affected versions of xorg-server with X11 enabled are at risk.
💻 Affected Systems
Products:
- xorg-server
Versions: Versions before the patched releases (specific versions vary by distribution)
Operating Systems: Linux distributions using xorg-server, Unix-like systems with X11
Default Config Vulnerable:
⚠️ Yes
Notes: Systems with X11 enabled and XKB functionality are vulnerable. X11 forwarding increases attack surface.
📦 What is this software?
Tigervnc by Tigervnc
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution via X11 forwarding leading to full system compromise
Likely Case
Local privilege escalation allowing attackers to gain root access
If Mitigated
Denial of service or limited information disclosure if memory protections are in place
🌐 Internet-Facing: MEDIUM - Requires X11 forwarding to be exposed, which is less common
🏢 Internal Only: HIGH - Local exploitation is straightforward and X11 is commonly used internally
🎯 Exploit Status
Public PoC:
✅ No
Weaponized:
UNKNOWN
Unauthenticated Exploit:
✅ No
Complexity:
MEDIUM
Requires local access or X11 forwarding. Memory corruption exploitation requires specific conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by distribution - check Red Hat advisories for specific versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2023:7886
Restart Required: Yes
Instructions:
1. Update xorg-server package using your distribution's package manager. 2. For Red Hat systems: 'yum update xorg-server'. 3. Restart X11 session or reboot system.
🔧 Temporary Workarounds
Disable X11 Forwarding
linuxPrevent remote exploitation by disabling X11 forwarding in SSH configuration
Set 'X11Forwarding no' in /etc/ssh/sshd_config
Restart SSH: 'systemctl restart sshd'
Restrict X11 Access
linuxLimit X11 server access to trusted users only
Use 'xhost' to manage access: 'xhost -' to disable all access
'xhost +si:localuser:username' to allow specific users
🧯 If You Can't Patch
- Disable X11 forwarding completely in SSH and application configurations
- Implement strict access controls and monitor for unusual X11 activity
🔍 How to Verify
Check if Vulnerable:
Check xorg-server version: 'rpm -q xorg-server' (Red Hat) or 'apt list --installed | grep xorg-server' (Debian)Check Version:
xorg-server --version or package manager queryVerify Fix Applied:
Verify updated version matches patched release from vendor advisory📡 Detection & Monitoring
Log Indicators:
- X11 crash logs
- Memory access violation errors in system logs
- Unusual XKB-related activity
Network Indicators:
- X11 forwarding connections from unexpected sources
- Unusual X protocol traffic
SIEM Query:
source="xorg.log" AND ("segmentation fault" OR "out of bounds" OR "XKB")🔗 References
- https://access.redhat.com/errata/RHSA-2023:7886
- https://access.redhat.com/errata/RHSA-2024:0006
- https://access.redhat.com/errata/RHSA-2024:0009
- https://access.redhat.com/errata/RHSA-2024:0010
- https://access.redhat.com/errata/RHSA-2024:0014
- https://access.redhat.com/errata/RHSA-2024:0015
- https://access.redhat.com/errata/RHSA-2024:0016
- https://access.redhat.com/errata/RHSA-2024:0017
- https://access.redhat.com/errata/RHSA-2024:0018
- https://access.redhat.com/errata/RHSA-2024:0020
- https://access.redhat.com/errata/RHSA-2024:2169
- https://access.redhat.com/errata/RHSA-2024:2170
- https://access.redhat.com/errata/RHSA-2024:2995
- https://access.redhat.com/errata/RHSA-2024:2996
- https://access.redhat.com/errata/RHSA-2025:13998
- https://access.redhat.com/security/cve/CVE-2023-6377
- https://bugzilla.redhat.com/show_bug.cgi?id=2253291
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
- https://lists.x.org/archives/xorg-announce/2023-December/003435.html
- http://www.openwall.com/lists/oss-security/2023/12/13/1
- https://access.redhat.com/errata/RHSA-2023:7886
- https://access.redhat.com/errata/RHSA-2024:0006
- https://access.redhat.com/errata/RHSA-2024:0009
- https://access.redhat.com/errata/RHSA-2024:0010
- https://access.redhat.com/errata/RHSA-2024:0014
- https://access.redhat.com/errata/RHSA-2024:0015
- https://access.redhat.com/errata/RHSA-2024:0016
- https://access.redhat.com/errata/RHSA-2024:0017
- https://access.redhat.com/errata/RHSA-2024:0018
- https://access.redhat.com/errata/RHSA-2024:0020
- https://access.redhat.com/errata/RHSA-2024:2169
- https://access.redhat.com/errata/RHSA-2024:2170
- https://access.redhat.com/errata/RHSA-2024:2995
- https://access.redhat.com/errata/RHSA-2024:2996
- https://access.redhat.com/security/cve/CVE-2023-6377
- https://bugzilla.redhat.com/show_bug.cgi?id=2253291
- https://gitlab.freedesktop.org/xorg/xserver/-/commit/0c1a93d319558fe3ab2d94f51d174b4f93810afd
- https://lists.debian.org/debian-lts-announce/2023/12/msg00008.html
- https://lists.debian.org/debian-lts-announce/2023/12/msg00013.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6R63Z6GIWM3YUNZRCGFODUXLW3GY2HD6/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/7PP47YXKM5ETLCYEF6473R3VFCJ6QT2S/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IFHV5KCQ2SVOD4QMCPZ5HC6YL44L7YJD/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LJDFWDB7EQVZA45XDP7L5WRSRWS6RVRR/
- https://lists.x.org/archives/xorg-announce/2023-December/003435.html
- https://security.gentoo.org/glsa/202401-30
- https://security.netapp.com/advisory/ntap-20240125-0003/
- https://www.debian.org/security/2023/dsa-5576
