偵測

Azure Linux 3.0 安全性更新核心 (CVE-2024-46693)

medium Nessus Plugin ID 295820

語言:

概要

遠端 Azure Linux 主機缺少一個或多個安全性更新。

說明

遠端 Azure Linux 3.0 主機上安裝的核心版本比測試版舊。因此,此版本會受到 CVE-2024-46693 公告中提及的一個弱點影響。

 - 已解決 Linux 核心中的下列弱點:soc: qcom: pmic_glink: Fix race during initialization As pointed out by Stephen Boyd it is possible that during initialization of the pmic_glink child drivers, the protection-domain notifiers fires, and the associated work is scheduled, before the client registration returns and as a result the local client pointer has been initialized. The outcome of this is a NULL pointer dereference as the client pointer is blindly dereferenced. Timeline provided by Stephen: CPU0 CPU1 ---- ---- ucsi->client = NULL; devm_pmic_glink_register_client() client->pdr_notify(client->priv, pg->client_state) pmic_glink_ucsi_pdr_notify() schedule_work(&ucsi->register_work) <schedule away> pmic_glink_ucsi_register() ucsi_register() pmic_glink_ucsi_read_version() pmic_glink_ucsi_read() pmic_glink_ucsi_read() pmic_glink_send(ucsi->client) <client is NULL BAD> ucsi->client = client // Too late! This code is identical across the altmode, battery manager and usci child drivers. Resolve this by splitting the allocation of the client object and the registration thereof into two operations. This only happens if the protection domain registry is populated at the time of registration, which by the introduction of commit '1ebcde047c54 (soc: qcom: add pd-mapper implementation)' became much more likely. (CVE-2024-46693)

請注意,Nessus 並未測試此問題,而是僅依據應用程式自我報告的版本號碼作出判斷。

解決方案

更新受影響的套件。

另請參閱

https://nvd.nist.gov/vuln/detail/CVE-2024-46693

Plugin 詳細資訊

嚴重性: Medium

ID: 295820

檔案名稱: azure_linux_CVE-2024-46693.nasl

版本: 1.1

類型: local

已發布: 2026/1/22

已更新: 2026/1/22

支援的感應器: Nessus

風險資訊

VPR

風險因素: Medium

分數: 4.4

CVSS v2

風險因素: Low

基本分數: 3.8

時間性分數: 2.8

媒介: CVSS2#AV:L/AC:H/Au:S/C:N/I:N/A:C

CVSS 評分資料來源: CVE-2024-46693

CVSS v3

風險因素: Medium

基本分數: 4.7

時間性分數: 4.1

媒介: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

時間媒介: CVSS:3.0/E:U/RL:O/RC:C

弱點資訊

CPE: p-cpe:/a:microsoft:azure_linux:kernel-debuginfo, p-cpe:/a:microsoft:azure_linux:kernel-devel, p-cpe:/a:microsoft:azure_linux:kernel-drivers-gpu, p-cpe:/a:microsoft:azure_linux:python3-perf, p-cpe:/a:microsoft:azure_linux:kernel-docs, x-cpe:/o:microsoft:azure_linux, p-cpe:/a:microsoft:azure_linux:kernel, p-cpe:/a:microsoft:azure_linux:kernel-drivers-sound, p-cpe:/a:microsoft:azure_linux:bpftool, p-cpe:/a:microsoft:azure_linux:kernel-drivers-accessibility, p-cpe:/a:microsoft:azure_linux:kernel-tools

必要的 KB 項目: Host/local_checks_enabled, Host/AzureLinux/release, Host/AzureLinux/rpm-list, Host/cpu

可輕鬆利用: No known exploits are available

修補程式發佈日期: 2024/10/8

弱點發布日期: 2024/9/13

參考資訊

CVE: CVE-2024-46693