CVE-2023-1672: Race condition exists in the key generation and rotation functionality
First published: Wed Mar 22 2023(Updated: )
A race condition exists in the Tang server functionality for key generation and key rotation, which results in a small time window where Tang private keys become readable by other processes on the same host. References: <a class="bz_bug_link bz_secure " title="" href="show_bug.cgi?id=2180990">https://bugzilla.redhat.com/show_bug.cgi?id=2180990</a>
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/tang | <14.1 | 14.1 |
| Tang Project Tang | <14 | |
| Fedoraproject Fedora | =38 | |
| Red Hat Enterprise Linux | =8.0 | |
| Red Hat Enterprise Linux | =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2023-1672
- https://www.openwall.com/lists/oss-security/2023/06/15/1
- https://bugzilla.redhat.com/show_bug.cgi?id=2180999
- https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096
- https://www.cve.org/CVERecord?id=CVE-2023-1672 https://nvd.nist.gov/vuln/detail/CVE-2023-1672 https://github.com/latchset/tang/commit/8dbbed10870378f1b2c3cf3df2ea7edca7617096 https://www.openwall.com/lists/oss-security/2023/06/15/1
- https://lists.debian.org/debian-lts-announce/2023/11/msg00004.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2180990
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2215313
- https://access.redhat.com/errata/RHSA-2023:6492
- https://access.redhat.com/errata/RHSA-2023:7022
Frequently Asked Questions
What is CVE-2023-1672?
CVE-2023-1672 is a vulnerability that exists in the Tang server functionality for key generation and key rotation, allowing Tang private keys to become readable by other processes on the same host.
What is the severity of CVE-2023-1672?
The severity of CVE-2023-1672 is medium with a CVSS score of 5.3.
Which software is affected by CVE-2023-1672?
The Tang server functionality in tang_project:tang up to version 14, fedoraproject:fedora version 38, redhat:enterprise_linux version 8.0, and redhat:enterprise_linux version 9.0 are affected by CVE-2023-1672.
How can I fix CVE-2023-1672?
You can fix CVE-2023-1672 by updating the Tang server software to a version that addresses the race condition vulnerability.
Where can I find more information about CVE-2023-1672?
You can find more information about CVE-2023-1672 on the Red Hat Security Advisory and the Openwall mailing list.
- collector/nvd-latest
- collector/redhat-cve
- agent/author
- agent/type
- agent/first-publish-date
- agent/remedy
- agent/severity
- agent/references
- agent/title
- agent/weakness
- agent/description
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2023-1672
- agent/software-canonical-lookup
- agent/tags
- agent/softwarecombine
- agent/event
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-api
- package-manager/redhat
- vendor/tang project
- canonical/tang project tang
- vendor/fedoraproject
- canonical/fedoraproject fedora
- version/fedoraproject fedora/38
- vendor/redhat
- canonical/red hat enterprise linux
- version/red hat enterprise linux/8.0
- version/red hat enterprise linux/9.0