CVE-2024-47742
- ULN >
- Oracle Linux CVE repository >
- CVE-2024-47742
CVE Details
| Release Date: | 2024-10-21 |
Description
In the Linux kernel, the following vulnerability has been resolved:\nfirmware_loader: Block path traversal\nMost firmware names are hardcoded strings, or are constructed from fairly\nconstrained format strings where the dynamic parts are just some hex\nnumbers or such.\nHowever, there are a couple codepaths in the kernel where firmware file\nnames contain string components that are passed through from a device or\nsemi-privileged userspace; the ones I could find (not counting interfaces\nthat require root privileges) are:\n- lpfc_sli4_request_firmware_update() seems to construct the firmware\nfilename from 'ModelName', a string that was previously parsed out of\nsome descriptor ('Vital Product Data') in lpfc_fill_vpd()\n- nfp_net_fw_find() seems to construct a firmware filename from a model\nname coming from nfp_hwinfo_lookup(pf->hwinfo, 'nffw.partno'), which I\nthink parses some descriptor that was read from the device.\n(But this case likely isn't exploitable because the format string looks\nlike 'netronome/nic_%s', and there shouldn't be any *folders* starting\nwith 'netronome/nic_'. The previous case was different because there,\nthe '%s' is *at the start* of the format string.)\n- module_flash_fw_schedule() is reachable from the\nETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as\nGENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is\nenough to pass the privilege check), and takes a userspace-provided\nfirmware name.\n(But I think to reach this case, you need to have CAP_NET_ADMIN over a\nnetwork namespace that a special kind of ethernet device is mapped into,\nso I think this is not a viable attack path in practice.)\nFix it by rejecting any firmware names containing '..' path components.\nFor what it's worth, I went looking and haven't found any USB device\ndrivers that use the firmware loader dangerously.
See more information about CVE-2024-47742 from MITRE CVE dictionary and NIST NVD
NOTE: The following CVSS metrics and score provided are preliminary and subject to review.
CVSS v3 metrics
| Base Score: | 7.8 |
| Vector String: | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| Version: | 3.1 |
| Attack Vector: | Local |
| Attack Complexity: | Low |
| Privileges Required: | Low |
| User Interaction: | None |
| Scope: | Unchanged |
| Confidentiality: | High |
| Integrity: | High |
| Availability: | High |
Errata information
| Platform | Errata | Release Date |
| Oracle Linux version 7 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
| Oracle Linux version 8 (kernel-uek) | ELSA-2024-12884 | 2024-12-16 |
This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections:
- Oracle customers - enter a support request
- Vulnerability scanning tools vendors and project maintainers - follow the standard ISV process
