Unprivileged Users Can Access Restricted Data via Logic Bug in Kernel Tracing
CVE-2024-6760

7.5HIGH

Key Information:

Vendor: FreeBSD
Status: FreeBSD
Vendor: CVE Published:; 12 August 2024

What is CVE-2024-6760?

The vulnerability presents a logic flaw in the FreeBSD operating system related to the kernel tracing functionality of setuid programs. The flaw permits unprivileged users to trace and interact with the execution of setuid programs due to improper disabling of kernel tracing mechanisms. This oversight allows unauthorized users to access sensitive information, including the contents of files that should remain out of reach, such as the local password database. Mitigation efforts are necessary to prevent unprivileged access to critical system resources.

Affected Version(s)

FreeBSD 14.1-RELEASE

FreeBSD 14.0-RELEASE

FreeBSD 13.3-RELEASE

References

https://security.freebsd.org/advisories/FreeBSD-SA-24:06....

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 12, 2024
Vulnerability Reserved
Jul 15, 2024