CVE-2024-11584
BaseFortify
Publication date: 2025-06-26
Last updated on: 2025-09-05
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | cloud-init | to 25.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-732 | The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability allows unprivileged users to trigger hotplug-hook commands that should only be executed by root. This can lead to unauthorized execution of privileged scripts or commands, potentially compromising system integrity, confidentiality, and availability. An attacker exploiting this could escalate privileges or disrupt system operations by abusing the writable socket. [2]
Can you explain this vulnerability to me?
CVE-2024-11584 is a security vulnerability in cloud-init versions through 25.1.2 where the systemd socket unit 'cloud-init-hotplugd.socket' had default permissions set to 0666, making it world-writable. This socket is used for the '/run/cloud-init/hook-hotplug-cmd' FIFO. Because of these permissions, any unprivileged user could write to this socket and trigger hotplug-hook commands, which are intended to be executed only by root. This improper permission setting allowed unauthorized users to execute privileged actions. [2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
You can detect this vulnerability by checking the permissions and location of the cloud-init hotplug socket file. Specifically, verify if the socket file /run/cloud-init/hook-hotplug-cmd exists and if it has world-writable permissions (0666). A command to check this would be: ls -l /run/cloud-init/hook-hotplug-cmd. If the socket is writable by all users, the system is vulnerable. Also, check if the socket is located outside the 'share' directory, as the fix moves it to /run/cloud-init/share/hook-hotplug-cmd with restricted permissions. [2]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update cloud-init to version 25.1.3 or later, which includes the fix that restricts the hotplug socket permissions to root only and moves the socket to a more secure location (/run/cloud-init/share/hook-hotplug-cmd). If updating is not immediately possible, manually change the permissions of the socket to 0600 and ensure it is only writable by root, and consider moving the socket to the 'share' directory as described. These steps prevent unprivileged users from triggering the hotplug hook scripts. [1, 2]