CVE-2024-6107
BaseFortify
Publication date: 2025-07-21
Last updated on: 2025-08-27
Assigner: Canonical Ltd.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| canonical | metal_as_a_service | From 3.1.0 (inc) to 3.1.4 (exc) |
| canonical | metal_as_a_service | From 3.2.0 (inc) to 3.2.11 (exc) |
| canonical | metal_as_a_service | From 3.3.0 (inc) to 3.3.8 (exc) |
| canonical | metal_as_a_service | From 3.4.0 (inc) to 3.4.4 (exc) |
| canonical | metal_as_a_service | 3.5.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
| CWE-NVD-CWE-noinfo |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2024-6107 is a critical vulnerability in MAAS (Metal as a Service) where the region controller's RPC server calls a connection method before completing authentication. This allows an attacker using a malicious client to bypass authentication checks entirely and execute arbitrary remote procedure call (RPC) commands on the MAAS region. The attacker can perform actions such as creating nodes, updating leases, registering controllers, retrieving configurations, and more without any authentication. [1]
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution, denial of service (DoS) attacks by sending repeated commands, and information leakage such as exposing boot configurations and node information. An attacker can manipulate the MAAS environment by creating or commissioning nodes, marking nodes as failed, and other administrative actions without authorization, potentially disrupting operations and compromising system integrity. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to connect to the MAAS region controller's RPC server on TCP port 5251 and trying to execute RPC commands without authentication. For example, using a script or tool that sends Twisted AMP protocol commands such as 'CreateNode' to the MAAS region controller and observing if the command executes without proper authentication. Monitoring network traffic for unauthorized RPC commands on port 5251 may also help detect exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying the official patches released for MAAS versions 3.1.4, 3.2.11, 3.3.8, 3.4.4, 3.5.1, and 3.6.0 that enforce authentication before allowing RPC commands. If patching is not immediately possible, restrict network access to the MAAS region controller's RPC port (TCP 5251) to trusted hosts only. Coordinate with your security and operations teams to deploy updated snap or deb packages containing the fix as soon as possible. [1]