CVE-2023-6377 is a vulnerability identified in the xorg-server component of Red Hat Enterprise Linux 6 Extended Lifecycle Support. The flaw arises from improper handling of X Keyboard Extension (XKB) button actions, specifically when querying or changing input device configurations, such as switching from a touchpad to a mouse. This leads to out-of-bounds memory reads and writes, which can corrupt memory and potentially allow an attacker to escalate privileges locally. In environments where X11 forwarding is enabled—commonly used to run graphical applications remotely—this vulnerability could be exploited remotely to execute arbitrary code. The vulnerability has a CVSS 3.1 base score of 7.8, indicating high severity, with attack vector local, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality, integrity, and availability. Although no exploits are currently known in the wild, the flaw presents a significant risk due to the potential for privilege escalation and remote code execution. The vulnerability affects legacy systems still running RHEL 6 Extended Lifecycle Support, which are often found in environments requiring long-term stability and legacy application support. The technical root cause is an out-of-bounds memory access triggered by XKB button action queries or changes, which can be manipulated by an attacker with local access or via X11 forwarding. This vulnerability underscores the risks associated with legacy software and the importance of maintaining updated systems or applying backported patches.

For European organizations, the impact of CVE-2023-6377 is significant, particularly for those relying on legacy Red Hat Enterprise Linux 6 Extended Lifecycle Support systems with graphical interfaces and X11 forwarding enabled. Successful exploitation can lead to local privilege escalation, allowing attackers to gain root-level access from a lower-privileged account, thereby compromising system integrity and confidentiality. In cases where X11 forwarding is used, remote code execution becomes possible, increasing the attack surface and risk of lateral movement within networks. This can affect critical infrastructure, government agencies, financial institutions, and enterprises that maintain legacy systems for operational continuity. The compromise of such systems could lead to data breaches, service disruptions, and unauthorized control over critical assets. Given the high CVSS score and the potential for full system compromise, organizations face risks to availability, confidentiality, and integrity of their systems and data.

Organizations should prioritize applying any available patches or updates from Red Hat addressing this vulnerability as soon as they are released. Until patches are available, it is advisable to disable or restrict X11 forwarding, especially for untrusted users or networks, to reduce the risk of remote exploitation. Limiting user privileges and enforcing the principle of least privilege can mitigate the impact of local exploitation. Monitoring and logging of X11 sessions and input device changes can help detect suspicious activities. Additionally, organizations should consider migrating from RHEL 6 Extended Lifecycle Support to more current, supported versions of Red Hat Enterprise Linux to benefit from ongoing security updates. Network segmentation and strict access controls around legacy systems can further reduce exposure. Employing application whitelisting and endpoint detection and response (EDR) solutions can help detect and prevent exploitation attempts. Finally, educating system administrators about the risks of legacy software and the importance of timely patching is critical.