EUVD-2024-54980
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
4Description
cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.
Analysis
cloud-init through 25.1.2 includes the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. This is used for the "/run/cloud-init/hook-hotplug-cmd" FIFO. An unprivileged user could trigger hotplug-hook commands.
Technical Context
This vulnerability is classified as Incorrect Permission Assignment for Critical Resource (CWE-732).
Affected Products
Affected products: Canonical Cloud-Init
Remediation
A vendor patch is available. Apply it as soon as possible and verify the fix.
Priority Score
Vendor Status
Ubuntu
Priority: Medium| Release | Status | Version |
|---|---|---|
| xenial | not-affected | - |
| upstream | released | 25.1.3 |
| trusty | DNE | - |
| oracular | ignored | end of life, was needed |
| bionic | released | 23.1.2-0ubuntu0~18.04.1+esm1 |
| focal | released | 24.4.1-0ubuntu0~20.04.3+esm1 |
| jammy | released | 25.1.4-0ubuntu0~22.04.1 |
| noble | released | 25.1.4-0ubuntu0~24.04.1 |
| plucky | released | 25.1.4-0ubuntu0~25.04.1 |
Debian
Bug #1108402| Release | Status | Fixed Version | Urgency |
|---|---|---|---|
| bullseye | vulnerable | 20.4.1-2+deb11u1 | - |
| bookworm | fixed | 22.4.2-1+deb12u3 | - |
| trixie | fixed | 25.1.4-1+deb13u1 | - |
| forky, sid | fixed | 25.3-2 | - |
| (unstable) | fixed | 25.1.4-1 | - |
Share
External POC / Exploit Code
Leaving vuln.today