Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cvelistLinuxCVELIST:CVE-2024-46695
HistorySep 13, 2024 - 5:29 a.m.

CVE-2024-46695 selinux,smack: don't bypass permissions check in inode_setsecctx hook

2024-09-1305:29:23
Linux
www.cve.org
4
linux kernel vulnerability
nfs client
security labels
permissions check
inode_setsecctx
lsm hooks
file security label

EPSS

0

Percentile

16.3%

JSON

In the Linux kernel, the following vulnerability has been resolved:

selinux,smack: don’t bypass permissions check in inode_setsecctx hook

Marek Gresko reports that the root user on an NFS client is able to
change the security labels on files on an NFS filesystem that is
exported with root squashing enabled.

The end of the kerneldoc comment for __vfs_setxattr_noperm() states:

  • This function requires the caller to lock the inode’s i_mutex before it
  • is executed. It also assumes that the caller will make the appropriate
  • permission checks.

nfsd_setattr() does do permissions checking via fh_verify() and
nfsd_permission(), but those don’t do all the same permissions checks
that are done by security_inode_setxattr() and its related LSM hooks do.

Since nfsd_setattr() is the only consumer of security_inode_setsecctx(),
simplest solution appears to be to replace the call to
__vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This
fixes the above issue and has the added benefit of causing nfsd to
recall conflicting delegations on a file when a client tries to change
its security label.

CNA Affected

[
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "unaffected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "security/selinux/hooks.c",
      "security/smack/smack_lsm.c"
    ],
    "versions": [
      {
        "version": "1da177e4c3f4",
        "lessThan": "459584258d47",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1da177e4c3f4",
        "lessThan": "f71ec019257b",
        "status": "affected",
        "versionType": "git"
      },
      {
        "version": "1da177e4c3f4",
        "lessThan": "76a0e79bc84f",
        "status": "affected",
        "versionType": "git"
      }
    ]
  },
  {
    "product": "Linux",
    "vendor": "Linux",
    "defaultStatus": "affected",
    "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
    "programFiles": [
      "security/selinux/hooks.c",
      "security/smack/smack_lsm.c"
    ],
    "versions": [
      {
        "version": "6.6.49",
        "lessThanOrEqual": "6.6.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.10.8",
        "lessThanOrEqual": "6.10.*",
        "status": "unaffected",
        "versionType": "custom"
      },
      {
        "version": "6.11",
        "lessThanOrEqual": "*",
        "status": "unaffected",
        "versionType": "original_commit_for_fix"
      }
    ]
  }
]

Related

osv 1
nvd 1
cve 1
debiancve 1
osv
osv
CVE-2024-46695
2024-09-13 06:15:14
nvd
nvd
CVE-2024-46695
2024-09-13 06:15:14
cve
cve
CVE-2024-46695
2024-09-13 06:15:14
debiancve
debiancve
CVE-2024-46695
2024-09-13 06:15:14

EPSS

0

Percentile

16.3%

JSON
Related for CVELIST:CVE-2024-46695
osv1nvd1cve1debiancve1