CVE-2024-42232
Ceph Monitors Auth and Monmap Use-After-Free vulnerable Vulnerabilities
Description
In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused. To fix this: - clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop() - bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting) - call cancel_delayed_work_sync() after the session is closed
INFO
Published Date :
Aug. 7, 2024, 4:15 p.m.
Last Modified :
Aug. 8, 2024, 3:02 p.m.
Source :
416baaa9-dc9f-4396-8d5f-8c081fb06d67
Remotely Exploitable :
No
Impact Score :
3.6
Exploitability Score :
1.8
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2024-42232.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2024-42232 vulnerability anywhere in the article.
The following table lists the changes that have been made to the
CVE-2024-42232 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Aug. 08, 2024
Action Type Old Value New Value Added CVSS V3.1 NIST AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H Changed Reference Type https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf No Types Assigned https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf Patch Changed Reference Type https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7 No Types Assigned https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7 Patch Changed Reference Type https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a No Types Assigned https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a Patch Changed Reference Type https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e No Types Assigned https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e Patch Changed Reference Type https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c No Types Assigned https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c Patch Changed Reference Type https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea No Types Assigned https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea Patch Changed Reference Type https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 No Types Assigned https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 Patch Changed Reference Type https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d No Types Assigned https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d Patch Added CWE NIST CWE-416 Added CPE Configuration OR *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions up to (excluding) 4.19.318 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 4.20 up to (excluding) 5.4.280 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.5 up to (excluding) 5.10.222 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.11 up to (excluding) 5.15.163 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 5.16 up to (excluding) 6.1.100 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.2 up to (excluding) 6.6.41 *cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:* versions from (including) 6.7 up to (excluding) 6.9.10 -
CVE Received by 416baaa9-dc9f-4396-8d5f-8c081fb06d67
Aug. 07, 2024
Action Type Old Value New Value Added Description In the Linux kernel, the following vulnerability has been resolved: libceph: fix race between delayed_work() and ceph_monc_stop() The way the delayed work is handled in ceph_monc_stop() is prone to races with mon_fault() and possibly also finish_hunting(). Both of these can requeue the delayed work which wouldn't be canceled by any of the following code in case that happens after cancel_delayed_work_sync() runs -- __close_session() doesn't mess with the delayed work in order to avoid interfering with the hunting interval logic. This part was missed in commit b5d91704f53e ("libceph: behave in mon_fault() if cur_mon < 0") and use-after-free can still ensue on monc and objects that hang off of it, with monc->auth and monc->monmap being particularly susceptible to quickly being reused. To fix this: - clear monc->cur_mon and monc->hunting as part of closing the session in ceph_monc_stop() - bail from delayed_work() if monc->cur_mon is cleared, similar to how it's done in mon_fault() and finish_hunting() (based on monc->hunting) - call cancel_delayed_work_sync() after the session is closed Added Reference kernel.org https://git.kernel.org/stable/c/1177afeca833174ba83504688eec898c6214f4bf [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/63e5d035e3a7ab7412a008f202633c5e6a0a28ea [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/34b76d1922e41da1fa73d43b764cddd82ac9733c [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/20cf67dcb7db842f941eff1af6ee5e9dc41796d7 [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/2d33654d40a05afd91ab24c9a73ab512a0670a9a [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/9525af1f58f67df387768770fcf6d6a8f23aee3d [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/33d38c5da17f8db2d80e811b7829d2822c10625e [No types assigned] Added Reference kernel.org https://git.kernel.org/stable/c/69c7b2fe4c9cc1d3b1186d1c5606627ecf0de883 [No types assigned]
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2024-42232 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2024-42232
weaknesses.