Linux Distros 未修補弱點:CVE-2024-57924
medium Nessus Plugin ID 231076
語言:
概要
Linux/Unix 主機上安裝的一個或多個套件存有弱點,供應商表示將不會修補。說明
Linux/Unix 主機上安裝了一個或多個受到弱點影響的套件,且供應商未提供可用的修補程式。- 在 Linux 核心中,已解決下列弱點: fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle.
There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when
->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 (ovl: support encoding non-decodable file handles) in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6. (CVE-2024-57924)
請注意,Nessus 依賴供應商報告的套件存在。
解決方案
目前尚未有已知的解決方案。Plugin 詳細資訊
嚴重性: Medium
ID: 231076
檔案名稱: unpatched_CVE_2024_57924.nasl
版本: 1.1
類型: local
代理程式: unix
系列: Misc.
已發布: 2025/3/6
已更新: 2025/3/6
支援的感應器: Nessus Agent, Nessus
風險資訊
VPR
風險因素: Low
分數: 3.6
CVSS v2
風險因素: Medium
基本分數: 4.7
時間性分數: 3.5
媒介: CVSS2#AV:L/AC:M/Au:N/C:N/I:N/A:C
CVSS 評分資料來源: CVE-2024-57924
CVSS v3
風險因素: Medium
基本分數: 5.5
時間性分數: 4.8
媒介: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
時間媒介: CVSS:3.0/E:U/RL:O/RC:C
弱點資訊
必要的 KB 項目: Host/local_checks_enabled, Host/cpu, global_settings/vendor_unpatched
可輕鬆利用: No known exploits are available
弱點發布日期: 2025/1/19
參考資訊
CVE: CVE-2024-57924