csaf_microsoft - msrc

MSRC_CVE-2024-2746

Vulnerability from csaf_microsoft - Published: 2024-05-02 07:00 - Updated: 2025-09-03 19:34

Summary

Incomplete fix for CVE-2024-1929

Notes

Additional Resources

To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle

Disclaimer

The information provided in the Microsoft Knowledge Base is provided \"as is\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

JSON

To clipboard

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "text": "Public",
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "general",
        "text": "To determine the support lifecycle for your software, see the Microsoft Support Lifecycle: https://support.microsoft.com/lifecycle",
        "title": "Additional Resources"
      },
      {
        "category": "legal_disclaimer",
        "text": "The information provided in the Microsoft Knowledge Base is provided \\\"as is\\\" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.",
        "title": "Disclaimer"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "secure@microsoft.com",
      "name": "Microsoft Security Response Center",
      "namespace": "https://msrc.microsoft.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "CVE-2024-2746 Incomplete fix for CVE-2024-1929 - VEX",
        "url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-2746.json"
      },
      {
        "category": "external",
        "summary": "Microsoft Support Lifecycle",
        "url": "https://support.microsoft.com/lifecycle"
      },
      {
        "category": "external",
        "summary": "Common Vulnerability Scoring System",
        "url": "https://www.first.org/cvss"
      }
    ],
    "title": "Incomplete fix for CVE-2024-1929",
    "tracking": {
      "current_release_date": "2025-09-03T19:34:04.000Z",
      "generator": {
        "date": "2025-10-20T01:36:29.190Z",
        "engine": {
          "name": "MSRC Generator",
          "version": "1.0"
        }
      },
      "id": "msrc_CVE-2024-2746",
      "initial_release_date": "2024-05-02T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2025-09-03T19:34:04.000Z",
          "legacy_version": "1",
          "number": "1",
          "summary": "Information published."
        }
      ],
      "status": "final",
      "version": "1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.0",
                "product": {
                  "name": "Azure Linux 3.0",
                  "product_id": "17084"
                }
              },
              {
                "category": "product_version",
                "name": "2.0",
                "product": {
                  "name": "CBL Mariner 2.0",
                  "product_id": "17086"
                }
              }
            ],
            "category": "product_name",
            "name": "Azure Linux"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003cazl3 dnf5 5.1.11-2",
                "product": {
                  "name": "\u003cazl3 dnf5 5.1.11-2",
                  "product_id": "3"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 dnf5 5.1.11-2",
                "product": {
                  "name": "azl3 dnf5 5.1.11-2",
                  "product_id": "17747"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003cazl3 dnf5 5.1.11-3",
                "product": {
                  "name": "\u003cazl3 dnf5 5.1.11-3",
                  "product_id": "2"
                }
              },
              {
                "category": "product_version",
                "name": "azl3 dnf5 5.1.11-3",
                "product": {
                  "name": "azl3 dnf5 5.1.11-3",
                  "product_id": "19699"
                }
              }
            ],
            "category": "product_name",
            "name": "dnf5"
          },
          {
            "category": "product_name",
            "name": "cbl2 dnf5 5.0.14-2",
            "product": {
              "name": "cbl2 dnf5 5.0.14-2",
              "product_id": "1"
            }
          }
        ],
        "category": "vendor",
        "name": "Microsoft"
      }
    ],
    "relationships": [
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 dnf5 5.1.11-2 as a component of Azure Linux 3.0",
          "product_id": "17084-3"
        },
        "product_reference": "3",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 dnf5 5.1.11-2 as a component of Azure Linux 3.0",
          "product_id": "17747-17084"
        },
        "product_reference": "17747",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "\u003cazl3 dnf5 5.1.11-3 as a component of Azure Linux 3.0",
          "product_id": "17084-2"
        },
        "product_reference": "2",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "azl3 dnf5 5.1.11-3 as a component of Azure Linux 3.0",
          "product_id": "19699-17084"
        },
        "product_reference": "19699",
        "relates_to_product_reference": "17084"
      },
      {
        "category": "default_component_of",
        "full_product_name": {
          "name": "cbl2 dnf5 5.0.14-2 as a component of CBL Mariner 2.0",
          "product_id": "17086-1"
        },
        "product_reference": "1",
        "relates_to_product_reference": "17086"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-2746",
      "cwe": {
        "id": "CWE-20",
        "name": "Improper Input Validation"
      },
      "flags": [
        {
          "label": "vulnerable_code_not_present",
          "product_ids": [
            "17086-1"
          ]
        }
      ],
      "notes": [
        {
          "category": "general",
          "text": "redhat",
          "title": "Assigning CNA"
        }
      ],
      "product_status": {
        "fixed": [
          "17747-17084",
          "19699-17084"
        ],
        "known_affected": [
          "17084-3",
          "17084-2"
        ],
        "known_not_affected": [
          "17086-1"
        ]
      },
      "references": [
        {
          "category": "self",
          "summary": "CVE-2024-2746 Incomplete fix for CVE-2024-1929 - VEX",
          "url": "https://msrc.microsoft.com/csaf/vex/2024/msrc_cve-2024-2746.json"
        }
      ],
      "remediations": [
        {
          "category": "vendor_fix",
          "date": "2025-09-03T19:34:04.000Z",
          "details": "5.1.11-2:Security Update:https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade",
          "product_ids": [
            "17084-3",
            "17084-2"
          ],
          "url": "https://learn.microsoft.com/en-us/azure/azure-linux/tutorial-azure-linux-upgrade"
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalsScore": 0.0,
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "temporalScore": 8.8,
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "17084-3",
            "17084-2"
          ]
        }
      ],
      "title": "Incomplete fix for CVE-2024-1929"
    }
  ]
}

CVE-2024-2746 (GCVE-0-2024-2746)

Vulnerability from cvelistv5 – Published: 2024-05-08 01:55 – Updated: 2024-08-12 18:29

Summary

Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit authentication was even started. The dnf5 library code does not check whether non-root users control the directory in question. On one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file that causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow. The file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics are accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though. Also, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify a plethora of additional configuration options. This makes various additional code paths in libdnf5 accessible to the attacker.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

CWE-20 - Improper Input Validation

Assigner

redhat

References

URL

Tags

https://www.openwall.com/lists/oss-security/2024/…

Impacted products

	Vendor	Product	Version
	Fedora	dnf5daemon-server	Affected: 5.1.16

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-01T19:25:41.295Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "affected": [
          {
            "cpes": [
              "cpe:2.3:a:fedora:dnf5daemon-server:*:*:*:*:*:*:*:*"
            ],
            "defaultStatus": "unknown",
            "product": "dnf5daemon-server",
            "vendor": "fedora",
            "versions": [
              {
                "lessThan": "5.1.17",
                "status": "affected",
                "version": "5.1.16",
                "versionType": "custom"
              }
            ]
          }
        ],
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-2746",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-05-08T14:43:25.427605Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-08-12T18:29:59.508Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "platforms": [
            "Linux"
          ],
          "product": "dnf5daemon-server",
          "vendor": "Fedora",
          "versions": [
            {
              "status": "affected",
              "version": "5.1.16"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Incomplete fix for CVE-2024-1929\u003cbr\u003e\u003cbr\u003eThe problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a\u003cbr\u003elocal root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.\u003cbr\u003e\u003cbr\u003eThe dnf5 library code does not check whether non-root users control the directory in question.\u0026nbsp;\u003cbr\u003e\u003cbr\u003eOn one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file\u003cbr\u003ethat causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.\u003cbr\u003eThe file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics\u003cbr\u003eare accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.\u003cbr\u003e\u003cbr\u003eAlso, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify\u003cbr\u003ea plethora of additional configuration options. This makes various\u0026nbsp;additional code paths in libdnf5 accessible to the attacker."
            }
          ],
          "value": "Incomplete fix for CVE-2024-1929\n\nThe problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a\nlocal root exploit by tricking the daemon into loading a user controlled \"plugin\". All of this happened before Polkit authentication was even started.\n\nThe dnf5 library code does not check whether non-root users control the directory in question.\u00a0\n\nOn one hand, this poses a Denial-of-Service attack vector by making the daemonoperate on a blocking file (e.g. named FIFO special file) or a very large file\nthat causes an out-of-memory situation (e.g. /dev/zero). On the other hand, this can be used to let the daemon process privileged files like /etc/shadow.\nThe file in question is parsed as an INI file. Error diagnostics resulting from parsing privileged files could cause information leaks, if these diagnostics\nare accessible to unprivileged users. In the case of libdnf5, no such user accessible diagnostics should exist, though.\n\nAlso, a local attacker can place a valid repository configuration file in this directory. This configuration file allows to specify\na plethora of additional configuration options. This makes various\u00a0additional code paths in libdnf5 accessible to the attacker."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-20",
              "description": "CWE-20 Improper Input Validation",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-07-12T19:00:40.624Z",
        "orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
        "shortName": "redhat"
      },
      "references": [
        {
          "url": "https://www.openwall.com/lists/oss-security/2024/04/03/5"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Incomplete fix for CVE-2024-1929",
      "x_generator": {
        "engine": "Vulnogram 0.1.0-dev"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749",
    "assignerShortName": "redhat",
    "cveId": "CVE-2024-2746",
    "datePublished": "2024-05-08T01:55:10.092Z",
    "dateReserved": "2024-03-20T16:02:36.835Z",
    "dateUpdated": "2024-08-12T18:29:59.508Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

MSRC_CVE-2024-2746

CVE-2024-2746 (GCVE-0-2024-2746)

Tags

Sightings

Nomenclature