CVE-2024-36963

{"id": "CVE-2024-36963", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.8}]}, "published": "2024-06-03T08:15:09.820", "references": [{"url": "https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54", "source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}, {"url": "https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78", "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54", "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracefs: Reset permissions on remount if permissions are options\n\nThere's an inconsistency with the way permissions are handled in tracefs.\nBecause the permissions are generated when accessed, they default to the\nroot inode's permission if they were never set by the user. If the user\nsets the permissions, then a flag is set and the permissions are saved via\nthe inode (for tracefs files) or an internal attribute field (for\neventfs).\n\nBut if a remount happens that specify the permissions, all the files that\nwere not changed by the user gets updated, but the ones that were are not.\nIf the user were to remount the file system with a given permission, then\nall files and directories within that file system should be updated.\n\nThis can cause security issues if a file's permission was updated but the\nadmin forgot about it. They could incorrectly think that remounting with\npermissions set would update all files, but miss some.\n\nFor example:\n\n # cd /sys/kernel/tracing\n # chgrp 1002 current_tracer\n # ls -l\n[..]\n -rw-r----- 1 root root 0 May 1 21:25 buffer_size_kb\n -rw-r----- 1 root root 0 May 1 21:25 buffer_subbuf_size_kb\n -r--r----- 1 root root 0 May 1 21:25 buffer_total_size_kb\n -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer\n -rw-r----- 1 root root 0 May 1 21:25 dynamic_events\n -r--r----- 1 root root 0 May 1 21:25 dyn_ftrace_total_info\n -r--r----- 1 root root 0 May 1 21:25 enabled_functions\n\nWhere current_tracer now has group \"lkp\".\n\n # mount -o remount,gid=1001 .\n # ls -l\n -rw-r----- 1 root tracing 0 May 1 21:25 buffer_size_kb\n -rw-r----- 1 root tracing 0 May 1 21:25 buffer_subbuf_size_kb\n -r--r----- 1 root tracing 0 May 1 21:25 buffer_total_size_kb\n -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer\n -rw-r----- 1 root tracing 0 May 1 21:25 dynamic_events\n -r--r----- 1 root tracing 0 May 1 21:25 dyn_ftrace_total_info\n -r--r----- 1 root tracing 0 May 1 21:25 enabled_functions\n\nEverything changed but the \"current_tracer\".\n\nAdd a new link list that keeps track of all the tracefs_inodes which has\nthe permission flags that tell if the file/dir should use the root inode's\npermission or not. Then on remount, clear all the flags so that the\ndefault behavior of using the root inode's permission is done for all\nfiles and directories."}, {"lang": "es", "value": "En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tracefs: restablece los permisos al volver a montar si los permisos son opciones. Hay una inconsistencia en la forma en que se manejan los permisos en tracefs. Debido a que los permisos se generan cuando se accede a ellos, de forma predeterminada son los permisos del inodo ra\u00edz si el usuario nunca los configur\u00f3. Si el usuario establece los permisos, entonces se establece una bandera y los permisos se guardan a trav\u00e9s del inodo (para archivos tracefs) o un campo de atributo interno (para eventfs). Pero si ocurre un reinicio que especifica los permisos, todos los archivos que no fueron modificados por el usuario se actualizan, pero los que s\u00ed no lo fueron. Si el usuario volviera a montar el sistema de archivos con un permiso determinado, entonces todos los archivos y directorios dentro de ese sistema de archivos deber\u00edan actualizarse. Esto puede causar problemas de seguridad si se actualiz\u00f3 el permiso de un archivo pero el administrador lo olvid\u00f3. Podr\u00edan pensar incorrectamente que volver a montar con los permisos establecidos actualizar\u00eda todos los archivos, pero perder\u00eda algunos. Por ejemplo: # cd /sys/kernel/tracing # chgrp 1002 current_tracer # ls -l [..] -rw-r----- 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 buffer_size_kb -rw-r---- - 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 buffer_subbuf_size_kb -r--r----- 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 buffer_total_size_kb -rw-r----- 1 ra\u00edz lkp 0 1 de mayo 21:25 current_tracer -rw-r----- 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 Dynamic_events -r--r----- 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 dyn_ftrace_total_info -r--r----- 1 root root 0 1 de mayo 21:25 enable_functions Donde current_tracer ahora tiene el grupo \"lkp\". # montar -o remontar, gid=1001. # ls -l -rw-r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 buffer_size_kb -rw-r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 buffer_subbuf_size_kb -r--r--- -- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 buffer_total_size_kb -rw-r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 current_tracer -rw-r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 Dynamic_events -r--r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 dyn_ftrace_total_info -r--r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 enable_functions Todo cambi\u00f3 excepto el \"current_tracer\". Agregue una nueva lista de enlaces que realice un seguimiento de todos los tracefs_inodes que tienen indicadores de permiso que indican si el archivo/directorio debe usar el permiso del inodo ra\u00edz o no. Luego, al volver a montar, borre todas las banderas para que el comportamiento predeterminado de usar el permiso del inodo ra\u00edz se realice para todos los archivos y directorios."}], "lastModified": "2025-05-20T14:15:26.620", "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67"}