CVE-2024-36963 (GCVE-0-2024-36963)
Vulnerability from cvelistv5
Published
2024-06-03 07:50
Modified
2025-05-20 14:07
Severity ?
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Summary
In the Linux kernel, the following vulnerability has been resolved: tracefs: Reset permissions on remount if permissions are options There's an inconsistency with the way permissions are handled in tracefs. Because the permissions are generated when accessed, they default to the root inode's permission if they were never set by the user. If the user sets the permissions, then a flag is set and the permissions are saved via the inode (for tracefs files) or an internal attribute field (for eventfs). But if a remount happens that specify the permissions, all the files that were not changed by the user gets updated, but the ones that were are not. If the user were to remount the file system with a given permission, then all files and directories within that file system should be updated. This can cause security issues if a file's permission was updated but the admin forgot about it. They could incorrectly think that remounting with permissions set would update all files, but miss some. For example: # cd /sys/kernel/tracing # chgrp 1002 current_tracer # ls -l [..] -rw-r----- 1 root root 0 May 1 21:25 buffer_size_kb -rw-r----- 1 root root 0 May 1 21:25 buffer_subbuf_size_kb -r--r----- 1 root root 0 May 1 21:25 buffer_total_size_kb -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer -rw-r----- 1 root root 0 May 1 21:25 dynamic_events -r--r----- 1 root root 0 May 1 21:25 dyn_ftrace_total_info -r--r----- 1 root root 0 May 1 21:25 enabled_functions Where current_tracer now has group "lkp". # mount -o remount,gid=1001 . # ls -l -rw-r----- 1 root tracing 0 May 1 21:25 buffer_size_kb -rw-r----- 1 root tracing 0 May 1 21:25 buffer_subbuf_size_kb -r--r----- 1 root tracing 0 May 1 21:25 buffer_total_size_kb -rw-r----- 1 root lkp 0 May 1 21:25 current_tracer -rw-r----- 1 root tracing 0 May 1 21:25 dynamic_events -r--r----- 1 root tracing 0 May 1 21:25 dyn_ftrace_total_info -r--r----- 1 root tracing 0 May 1 21:25 enabled_functions Everything changed but the "current_tracer". Add a new link list that keeps track of all the tracefs_inodes which has the permission flags that tell if the file/dir should use the root inode's permission or not. Then on remount, clear all the flags so that the default behavior of using the root inode's permission is done for all files and directories.
References
Impacted products
Vendor Product Version
Linux Linux Version: 628adb842bd5e1c2c598534a7a022b8235289de6
Version: 8186fff7ab649085e2c60d032d9a20a85af1d87c
Version: 8186fff7ab649085e2c60d032d9a20a85af1d87c
Version: 9c2ac5e0ea7899411fd900d4681890722a020735
 Create a notification for this product.
Show details on NVD website

To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-36963",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-20T14:06:38.590905Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-863",
                "description": "CWE-863 Incorrect Authorization",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-20T14:07:59.778Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T03:43:50.371Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/tracefs/event_inode.c",
            "fs/tracefs/inode.c",
            "fs/tracefs/internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5f91fc82794d4a6e41cdcd02d00baa377d94ca78",
              "status": "affected",
              "version": "628adb842bd5e1c2c598534a7a022b8235289de6",
              "versionType": "git"
            },
            {
              "lessThan": "414fb08628143203d29ccd0264b5a83fb9523c03",
              "status": "affected",
              "version": "8186fff7ab649085e2c60d032d9a20a85af1d87c",
              "versionType": "git"
            },
            {
              "lessThan": "baa23a8d4360d981a49913841a726edede5cdd54",
              "status": "affected",
              "version": "8186fff7ab649085e2c60d032d9a20a85af1d87c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9c2ac5e0ea7899411fd900d4681890722a020735",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/tracefs/event_inode.c",
            "fs/tracefs/inode.c",
            "fs/tracefs/internal.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.31",
                  "versionStartIncluding": "6.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.7.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntracefs: Reset permissions on remount if permissions are options\n\nThere\u0027s an inconsistency with the way permissions are handled in tracefs.\nBecause the permissions are generated when accessed, they default to the\nroot inode\u0027s permission if they were never set by the user. If the user\nsets the permissions, then a flag is set and the permissions are saved via\nthe inode (for tracefs files) or an internal attribute field (for\neventfs).\n\nBut if a remount happens that specify the permissions, all the files that\nwere not changed by the user gets updated, but the ones that were are not.\nIf the user were to remount the file system with a given permission, then\nall files and directories within that file system should be updated.\n\nThis can cause security issues if a file\u0027s permission was updated but the\nadmin forgot about it. They could incorrectly think that remounting with\npermissions set would update all files, but miss some.\n\nFor example:\n\n # cd /sys/kernel/tracing\n # chgrp 1002 current_tracer\n # ls -l\n[..]\n -rw-r-----  1 root root 0 May  1 21:25 buffer_size_kb\n -rw-r-----  1 root root 0 May  1 21:25 buffer_subbuf_size_kb\n -r--r-----  1 root root 0 May  1 21:25 buffer_total_size_kb\n -rw-r-----  1 root lkp  0 May  1 21:25 current_tracer\n -rw-r-----  1 root root 0 May  1 21:25 dynamic_events\n -r--r-----  1 root root 0 May  1 21:25 dyn_ftrace_total_info\n -r--r-----  1 root root 0 May  1 21:25 enabled_functions\n\nWhere current_tracer now has group \"lkp\".\n\n # mount -o remount,gid=1001 .\n # ls -l\n -rw-r-----  1 root tracing 0 May  1 21:25 buffer_size_kb\n -rw-r-----  1 root tracing 0 May  1 21:25 buffer_subbuf_size_kb\n -r--r-----  1 root tracing 0 May  1 21:25 buffer_total_size_kb\n -rw-r-----  1 root lkp     0 May  1 21:25 current_tracer\n -rw-r-----  1 root tracing 0 May  1 21:25 dynamic_events\n -r--r-----  1 root tracing 0 May  1 21:25 dyn_ftrace_total_info\n -r--r-----  1 root tracing 0 May  1 21:25 enabled_functions\n\nEverything changed but the \"current_tracer\".\n\nAdd a new link list that keeps track of all the tracefs_inodes which has\nthe permission flags that tell if the file/dir should use the root inode\u0027s\npermission or not. Then on remount, clear all the flags so that the\ndefault behavior of using the root inode\u0027s permission is done for all\nfiles and directories."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:56:37.338Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78"
        },
        {
          "url": "https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03"
        },
        {
          "url": "https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54"
        }
      ],
      "title": "tracefs: Reset permissions on remount if permissions are options",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-36963",
    "datePublished": "2024-06-03T07:50:01.125Z",
    "dateReserved": "2024-05-30T15:25:07.081Z",
    "dateUpdated": "2025-05-20T14:07:59.778Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2024-36963\",\"sourceIdentifier\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"published\":\"2024-06-03T08:15:09.820\",\"lastModified\":\"2025-09-17T21:01:58.510\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracefs: Reset permissions on remount if permissions are options\\n\\nThere\u0027s an inconsistency with the way permissions are handled in tracefs.\\nBecause the permissions are generated when accessed, they default to the\\nroot inode\u0027s permission if they were never set by the user. If the user\\nsets the permissions, then a flag is set and the permissions are saved via\\nthe inode (for tracefs files) or an internal attribute field (for\\neventfs).\\n\\nBut if a remount happens that specify the permissions, all the files that\\nwere not changed by the user gets updated, but the ones that were are not.\\nIf the user were to remount the file system with a given permission, then\\nall files and directories within that file system should be updated.\\n\\nThis can cause security issues if a file\u0027s permission was updated but the\\nadmin forgot about it. They could incorrectly think that remounting with\\npermissions set would update all files, but miss some.\\n\\nFor example:\\n\\n # cd /sys/kernel/tracing\\n # chgrp 1002 current_tracer\\n # ls -l\\n[..]\\n -rw-r-----  1 root root 0 May  1 21:25 buffer_size_kb\\n -rw-r-----  1 root root 0 May  1 21:25 buffer_subbuf_size_kb\\n -r--r-----  1 root root 0 May  1 21:25 buffer_total_size_kb\\n -rw-r-----  1 root lkp  0 May  1 21:25 current_tracer\\n -rw-r-----  1 root root 0 May  1 21:25 dynamic_events\\n -r--r-----  1 root root 0 May  1 21:25 dyn_ftrace_total_info\\n -r--r-----  1 root root 0 May  1 21:25 enabled_functions\\n\\nWhere current_tracer now has group \\\"lkp\\\".\\n\\n # mount -o remount,gid=1001 .\\n # ls -l\\n -rw-r-----  1 root tracing 0 May  1 21:25 buffer_size_kb\\n -rw-r-----  1 root tracing 0 May  1 21:25 buffer_subbuf_size_kb\\n -r--r-----  1 root tracing 0 May  1 21:25 buffer_total_size_kb\\n -rw-r-----  1 root lkp     0 May  1 21:25 current_tracer\\n -rw-r-----  1 root tracing 0 May  1 21:25 dynamic_events\\n -r--r-----  1 root tracing 0 May  1 21:25 dyn_ftrace_total_info\\n -r--r-----  1 root tracing 0 May  1 21:25 enabled_functions\\n\\nEverything changed but the \\\"current_tracer\\\".\\n\\nAdd a new link list that keeps track of all the tracefs_inodes which has\\nthe permission flags that tell if the file/dir should use the root inode\u0027s\\npermission or not. Then on remount, clear all the flags so that the\\ndefault behavior of using the root inode\u0027s permission is done for all\\nfiles and directories.\"},{\"lang\":\"es\",\"value\":\"En el kernel de Linux, se ha resuelto la siguiente vulnerabilidad: tracefs: restablece los permisos al volver a montar si los permisos son opciones. Hay una inconsistencia en la forma en que se manejan los permisos en tracefs. Debido a que los permisos se generan cuando se accede a ellos, de forma predeterminada son los permisos del inodo ra\u00edz si el usuario nunca los configur\u00f3. Si el usuario establece los permisos, entonces se establece una bandera y los permisos se guardan a trav\u00e9s del inodo (para archivos tracefs) o un campo de atributo interno (para eventfs). Pero si ocurre un reinicio que especifica los permisos, todos los archivos que no fueron modificados por el usuario se actualizan, pero los que s\u00ed no lo fueron. Si el usuario volviera a montar el sistema de archivos con un permiso determinado, entonces todos los archivos y directorios dentro de ese sistema de archivos deber\u00edan actualizarse. Esto puede causar problemas de seguridad si se actualiz\u00f3 el permiso de un archivo pero el administrador lo olvid\u00f3. Podr\u00edan pensar incorrectamente que volver a montar con los permisos establecidos actualizar\u00eda todos los archivos, pero perder\u00eda algunos. Por ejemplo: # cd /sys/kernel/tracing # chgrp 1002 current_tracer # ls -l [..] -rw-r----- 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 buffer_size_kb -rw-r---- - 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 buffer_subbuf_size_kb -r--r----- 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 buffer_total_size_kb -rw-r----- 1 ra\u00edz lkp 0 1 de mayo 21:25 current_tracer -rw-r----- 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 Dynamic_events -r--r----- 1 ra\u00edz ra\u00edz 0 1 de mayo 21:25 dyn_ftrace_total_info -r--r----- 1 root root 0 1 de mayo 21:25 enable_functions Donde current_tracer ahora tiene el grupo \\\"lkp\\\". # montar -o remontar, gid=1001. # ls -l -rw-r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 buffer_size_kb -rw-r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 buffer_subbuf_size_kb -r--r--- -- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 buffer_total_size_kb -rw-r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 current_tracer -rw-r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 Dynamic_events -r--r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 dyn_ftrace_total_info -r--r----- 1 rastreo de ra\u00edz 0 1 de mayo 21:25 enable_functions Todo cambi\u00f3 excepto el \\\"current_tracer\\\". Agregue una nueva lista de enlaces que realice un seguimiento de todos los tracefs_inodes que tienen indicadores de permiso que indican si el archivo/directorio debe usar el permiso del inodo ra\u00edz o no. Luego, al volver a montar, borre todas las banderas para que el comportamiento predeterminado de usar el permiso del inodo ra\u00edz se realice para todos los archivos y directorios.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-863\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.6.18\",\"versionEndExcluding\":\"6.6.31\",\"matchCriteriaId\":\"502244AD-BE94-4F0D-9162-02C04B7ED925\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"6.7.4\",\"versionEndExcluding\":\"6.8.10\",\"matchCriteriaId\":\"F7413227-3EF9-4BDD-B655-0727F81CFEB2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc1:*:*:*:*:*:*\",\"matchCriteriaId\":\"22BEDD49-2C6D-402D-9DBF-6646F6ECD10B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc2:*:*:*:*:*:*\",\"matchCriteriaId\":\"DF73CB2A-DFFD-46FB-9BFE-AA394F27EA37\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc3:*:*:*:*:*:*\",\"matchCriteriaId\":\"52048DDA-FC5A-4363-95A0-A6357B4D7F8C\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc4:*:*:*:*:*:*\",\"matchCriteriaId\":\"A06B2CCF-3F43-4FA9-8773-C83C3F5764B2\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc5:*:*:*:*:*:*\",\"matchCriteriaId\":\"F850DCEC-E08B-4317-A33B-D2DCF39F601B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:linux:linux_kernel:6.9:rc6:*:*:*:*:*:*\",\"matchCriteriaId\":\"91326417-E981-482E-A5A3-28BC1327521B\"}]}]}],\"references\":[{\"url\":\"https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54\",\"source\":\"416baaa9-dc9f-4396-8d5f-8c081fb06d67\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]},{\"url\":\"https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03\", \"tags\": [\"x_transferred\"]}, {\"url\": \"https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54\", \"tags\": [\"x_transferred\"]}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2024-08-02T03:43:50.371Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2024-36963\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-05-20T14:06:38.590905Z\"}}}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-863\", \"description\": \"CWE-863 Incorrect Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2024-06-04T15:38:05.479Z\"}}], \"cna\": {\"title\": \"tracefs: Reset permissions on remount if permissions are options\", \"affected\": [{\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"628adb842bd5e1c2c598534a7a022b8235289de6\", \"lessThan\": \"5f91fc82794d4a6e41cdcd02d00baa377d94ca78\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8186fff7ab649085e2c60d032d9a20a85af1d87c\", \"lessThan\": \"414fb08628143203d29ccd0264b5a83fb9523c03\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"8186fff7ab649085e2c60d032d9a20a85af1d87c\", \"lessThan\": \"baa23a8d4360d981a49913841a726edede5cdd54\", \"versionType\": \"git\"}, {\"status\": \"affected\", \"version\": \"9c2ac5e0ea7899411fd900d4681890722a020735\", \"versionType\": \"git\"}], \"programFiles\": [\"fs/tracefs/event_inode.c\", \"fs/tracefs/inode.c\", \"fs/tracefs/internal.h\"], \"defaultStatus\": \"unaffected\"}, {\"repo\": \"https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git\", \"vendor\": \"Linux\", \"product\": \"Linux\", \"versions\": [{\"status\": \"affected\", \"version\": \"6.8\"}, {\"status\": \"unaffected\", \"version\": \"0\", \"lessThan\": \"6.8\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"6.6.31\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.6.*\"}, {\"status\": \"unaffected\", \"version\": \"6.8.10\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"6.8.*\"}, {\"status\": \"unaffected\", \"version\": \"6.9\", \"versionType\": \"original_commit_for_fix\", \"lessThanOrEqual\": \"*\"}], \"programFiles\": [\"fs/tracefs/event_inode.c\", \"fs/tracefs/inode.c\", \"fs/tracefs/internal.h\"], \"defaultStatus\": \"affected\"}], \"references\": [{\"url\": \"https://git.kernel.org/stable/c/5f91fc82794d4a6e41cdcd02d00baa377d94ca78\"}, {\"url\": \"https://git.kernel.org/stable/c/414fb08628143203d29ccd0264b5a83fb9523c03\"}, {\"url\": \"https://git.kernel.org/stable/c/baa23a8d4360d981a49913841a726edede5cdd54\"}], \"x_generator\": {\"engine\": \"bippy-1.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"In the Linux kernel, the following vulnerability has been resolved:\\n\\ntracefs: Reset permissions on remount if permissions are options\\n\\nThere\u0027s an inconsistency with the way permissions are handled in tracefs.\\nBecause the permissions are generated when accessed, they default to the\\nroot inode\u0027s permission if they were never set by the user. If the user\\nsets the permissions, then a flag is set and the permissions are saved via\\nthe inode (for tracefs files) or an internal attribute field (for\\neventfs).\\n\\nBut if a remount happens that specify the permissions, all the files that\\nwere not changed by the user gets updated, but the ones that were are not.\\nIf the user were to remount the file system with a given permission, then\\nall files and directories within that file system should be updated.\\n\\nThis can cause security issues if a file\u0027s permission was updated but the\\nadmin forgot about it. They could incorrectly think that remounting with\\npermissions set would update all files, but miss some.\\n\\nFor example:\\n\\n # cd /sys/kernel/tracing\\n # chgrp 1002 current_tracer\\n # ls -l\\n[..]\\n -rw-r-----  1 root root 0 May  1 21:25 buffer_size_kb\\n -rw-r-----  1 root root 0 May  1 21:25 buffer_subbuf_size_kb\\n -r--r-----  1 root root 0 May  1 21:25 buffer_total_size_kb\\n -rw-r-----  1 root lkp  0 May  1 21:25 current_tracer\\n -rw-r-----  1 root root 0 May  1 21:25 dynamic_events\\n -r--r-----  1 root root 0 May  1 21:25 dyn_ftrace_total_info\\n -r--r-----  1 root root 0 May  1 21:25 enabled_functions\\n\\nWhere current_tracer now has group \\\"lkp\\\".\\n\\n # mount -o remount,gid=1001 .\\n # ls -l\\n -rw-r-----  1 root tracing 0 May  1 21:25 buffer_size_kb\\n -rw-r-----  1 root tracing 0 May  1 21:25 buffer_subbuf_size_kb\\n -r--r-----  1 root tracing 0 May  1 21:25 buffer_total_size_kb\\n -rw-r-----  1 root lkp     0 May  1 21:25 current_tracer\\n -rw-r-----  1 root tracing 0 May  1 21:25 dynamic_events\\n -r--r-----  1 root tracing 0 May  1 21:25 dyn_ftrace_total_info\\n -r--r-----  1 root tracing 0 May  1 21:25 enabled_functions\\n\\nEverything changed but the \\\"current_tracer\\\".\\n\\nAdd a new link list that keeps track of all the tracefs_inodes which has\\nthe permission flags that tell if the file/dir should use the root inode\u0027s\\npermission or not. Then on remount, clear all the flags so that the\\ndefault behavior of using the root inode\u0027s permission is done for all\\nfiles and directories.\"}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.6.31\", \"versionStartIncluding\": \"6.6.18\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.8.10\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"6.9\", \"versionStartIncluding\": \"6.8\"}, {\"criteria\": \"cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionStartIncluding\": \"6.7.4\"}], \"operator\": \"OR\"}]}], \"providerMetadata\": {\"orgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"shortName\": \"Linux\", \"dateUpdated\": \"2025-05-04T12:56:37.338Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2024-36963\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-05-20T14:07:59.778Z\", \"dateReserved\": \"2024-05-30T15:25:07.081Z\", \"assignerOrgId\": \"416baaa9-dc9f-4396-8d5f-8c081fb06d67\", \"datePublished\": \"2024-06-03T07:50:01.125Z\", \"assignerShortName\": \"Linux\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.