CVE-2024-46916
BaseFortify
Publication date: 2025-08-29
Last updated on: 2025-09-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dieboldnixdorf | vynamic_security_suite | to 4.3.0sr06 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Diebold Nixdorf Vynamic Security Suite through version 4.3.0 SR06 allows critical system files to be removed before the filesystem is properly mounted. Specifically, a delete call in the initialization script (/etc/rc.d/init.d/mountfs) can remove the /etc/fstab file. This improper handling enables attackers to execute code and, in some versions, recover TPM Disk Encryption keys and decrypt the Windows system partition. The root cause is incomplete file integrity validation in the Linux partition, leaving some files unprotected and vulnerable to manipulation during system initialization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized code execution and information disclosure by allowing deletion of critical system files like /etc/fstab before the filesystem is mounted. This can expose protected directories and enable attackers to modify root's profile scripts. In some versions, it also allows recovery of TPM Disk Encryption keys and decryption of the Windows system partition, potentially compromising system confidentiality and integrity. Although mitigations exist, inconsistent application across versions leaves residual risk primarily for reconnaissance and limited exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable delete commands in the initialization script /etc/rc.d/init.d/mountfs, specifically the command 'rm -f /fastboot /forcefsck'. You can inspect this script for such commands and verify if critical files like /etc/fstab are linked or deleted. Additionally, checking for tampering of critical utilities such as /bin/mountpoint or /sbin/shutdown can help detect exploitation attempts. Suggested commands include: 'grep "rm -f /fastboot /forcefsck" /etc/rc.d/init.d/mountfs' to find the delete commands, 'ls -l /fastboot /forcefsck /etc/fstab' to check file presence and links, and verifying integrity or modification times of /root/.profile and other TMPFS directories. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading to versions of the Vynamic Security Suite that have the mitigations introduced in SR12 or later, which remove and recreate critical directories to block the attack vector. Ensuring that the mountvirtfs script is used to mount kernel runtime filesystems with strict permissions (nosuid,noexec,nodev) helps limit the attack surface. Also, verify that the denial-of-service mechanism blocking boot on tampering with critical utilities (/bin/mountpoint, /sbin/shutdown) is active. If upgrading is not immediately possible, manually harden the system by removing vulnerable delete commands from /etc/rc.d/init.d/mountfs and securing critical files and directories against unauthorized modification. [1]