Vulners
Lucene search
Azure Linux 3.0 Security Update: kernel (CVE-2024-41009)
10
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(215688);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2025/09/15");
script_cve_id("CVE-2024-41009");
script_name(english:"Azure Linux 3.0 Security Update: kernel (CVE-2024-41009)");
script_set_attribute(attribute:"synopsis", value:
"The remote Azure Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore,
affected by a vulnerability as referenced in the CVE-2024-41009 advisory.
- In the Linux kernel, the following vulnerability has been resolved: bpf: Fix overrunning reservations in
ringbuf The BPF ring buffer internally is implemented as a power-of-2 sized circular buffer, with two
logical and ever-increasing counters: consumer_pos is the consumer counter to show which logical position
the consumer consumed the data, and producer_pos which is the producer counter denoting the amount of data
reserved by all producers. Each time a record is reserved, the producer that owns the record will
successfully advance producer counter. In user space each time a record is read, the consumer of the data
advanced the consumer counter once it finished processing. Both counters are stored in separate pages so
that from user space, the producer counter is read-only and the consumer counter is read-write. One aspect
that simplifies and thus speeds up the implementation of both producers and consumers is how the data area
is mapped twice contiguously back-to-back in the virtual memory, allowing to not take any special measures
for samples that have to wrap around at the end of the circular buffer data area, because the next page
after the last data page would be first data page again, and thus the sample will still appear completely
contiguous in virtual memory. Each record has a struct bpf_ringbuf_hdr { u32 len; u32 pg_off; } header for
book-keeping the length and offset, and is inaccessible to the BPF program. Helpers like
bpf_ringbuf_reserve() return `(void *)hdr + BPF_RINGBUF_HDR_SZ` for the BPF program to use. Bing-Jhong and
Muhammad reported that it is however possible to make a second allocated memory chunk overlapping with the
first chunk and as a result, the BPF program is now able to edit first chunk's header. For example,
consider the creation of a BPF_MAP_TYPE_RINGBUF map with size of 0x4000. Next, the consumer_pos is
modified to 0x3000 /before/ a call to bpf_ringbuf_reserve() is made. This will allocate a chunk A, which
is in [0x0,0x3008], and the BPF program is able to edit [0x8,0x3008]. Now, lets allocate a chunk B with
size 0x3000. This will succeed because consumer_pos was edited ahead of time to pass the `new_prod_pos -
cons_pos > rb->mask` check. Chunk B will be in range [0x3008,0x6010], and the BPF program is able to edit
[0x3010,0x6010]. Due to the ring buffer memory layout mentioned earlier, the ranges [0x0,0x4000] and
[0x4000,0x8000] point to the same data pages. This means that chunk B at [0x4000,0x4008] is chunk A's
header. bpf_ringbuf_submit() / bpf_ringbuf_discard() use the header's pg_off to then locate the
bpf_ringbuf itself via bpf_ringbuf_restore_from_rec(). Once chunk B modified chunk A's header, then
bpf_ringbuf_commit() refers to the wrong page and could cause a crash. Fix it by calculating the oldest
pending_pos and check whether the range from the oldest outstanding record to the newest would span beyond
the ring buffer size. If that is the case, then reject the request. We've tested with the ring buffer
benchmark in BPF selftests (./benchs/run_bench_ringbufs.sh) before/after the fix and while it seems a bit
slower on some benchmarks, it is still not significantly enough to matter. (CVE-2024-41009)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://nvd.nist.gov/vuln/detail/CVE-2024-41009");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-41009");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/07/17");
script_set_attribute(attribute:"patch_publication_date", value:"2024/08/13");
script_set_attribute(attribute:"plugin_publication_date", value:"2025/02/10");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:bpftool");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-cross-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-devel");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-docs");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-drivers-accessibility");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-drivers-gpu");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-drivers-sound");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-dtb");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-headers");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:kernel-tools");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:microsoft:azure_linux:python3-perf");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:microsoft:azure_linux");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Azure Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info2.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AzureLinux/release", "Host/AzureLinux/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var release = get_kb_item('Host/AzureLinux/release');
if (isnull(release) || 'Azure Linux' >!< release) audit(AUDIT_OS_NOT, 'Azure Linux');
var os_ver = pregmatch(pattern: "Azure Linux ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Azure Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^3([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Azure Linux 3.0', 'Azure Linux ' + os_ver);
if (!get_kb_item('Host/AzureLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu)
audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Azure Linux', cpu);
var pkgs = [
{'reference':'kernel-cross-headers-6.6.35.1-5.azl3', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-headers-6.6.35.1-5.azl3', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE},
{'reference':'kernel-headers-6.6.35.1-5.azl3', 'release':'3.0', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'Azure Linux ' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'bpftool / kernel / kernel-cross-headers / kernel-devel / etc');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
15 Sep 2025 00:00Current
6.2Medium risk
Vulners AI Score6.2
CVSS 3.15.5
EPSS0.00028
SSVC