CBL Mariner 2.0 Security Update: rpm-ostree / kata-containers-cc / kata-containers (CVE-2024-27308)

high Nessus Plugin ID 201759

Synopsis

The remote CBL Mariner host is missing one or more security updates.

Description

The version of rpm-ostree / kata-containers-cc / kata-containers installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-27308 advisory.

- Mio is a Metal I/O library for Rust. When using named pipes on Windows, mio will under some circumstances return invalid tokens that correspond to named pipes that have already been deregistered from the mio registry. The impact of this vulnerability depends on how mio is used. For some applications, invalid tokens May be ignored or cause a warning or a crash. On the other hand, for applications that store pointers in the tokens, this vulnerability May result in a use-after-free. For users of Tokio, this vulnerability is serious and can result in a use-after-free in Tokio. The vulnerability is Windows- specific, and can only happen if you are using named pipes. Other IO resources are not affected. This vulnerability has been fixed in mio v0.8.11. All versions of mio between v0.7.2 and v0.8.10 are vulnerable. Tokio is vulnerable when you are using a vulnerable version of mio AND you are using at least Tokio v1.30.0. Versions of Tokio prior to v1.30.0 will ignore invalid tokens, so they are not vulnerable.
Vulnerable libraries that use mio can work around this issue by detecting and ignoring invalid tokens.
(CVE-2024-27308)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://nvd.nist.gov/vuln/detail/CVE-2024-27308

Plugin Details

Severity: High

ID: 201759

File Name: mariner_CVE-2024-27308.nasl

Version: 1.1

Type: local

Published: 7/3/2024

Updated: 7/3/2024

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N

CVSS Score Source: CVE-2024-27308

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:microsoft:cbl-mariner:kata-containers, x-cpe:/o:microsoft:cbl-mariner, p-cpe:/a:microsoft:cbl-mariner:kata-containers-cc, p-cpe:/a:microsoft:cbl-mariner:kata-containers-tools, p-cpe:/a:microsoft:cbl-mariner:kata-containers-cc-tools

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/CBLMariner/release, Host/CBLMariner/rpm-list

Exploit Ease: No known exploits are available

Patch Publication Date: 7/1/2024

Vulnerability Publication Date: 3/4/2024

Reference Information

CVE: CVE-2024-27308