CVE-2024-10934
📋 TL;DR
This CVE describes a double free vulnerability in the NFS client and server implementation in OpenBSD, which could allow attackers to execute arbitrary code or cause denial of service. The vulnerability affects OpenBSD systems running NFS services and is rated as critical with a CVSS score of 9.8.
💻 Affected Systems
- OpenBSD
📦 What is this software?
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
Openbsd by Openbsd
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, privilege escalation, or persistent backdoor installation.
Likely Case
System crash or denial of service affecting NFS functionality, potentially disrupting file sharing services.
If Mitigated
Limited impact if NFS services are disabled or properly firewalled, with only local exploitation possible.
🎯 Exploit Status
Double free vulnerabilities typically require specific memory manipulation, but NFS protocol handling makes remote exploitation feasible. No public exploits confirmed at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: OpenBSD 7.5 errata 008, OpenBSD 7.4 errata 021
Vendor Advisory: https://ftp.openbsd.org/pub/OpenBSD/patches/
Restart Required: Yes
Instructions:
1. Download the appropriate patch from OpenBSD's errata page. 2. Apply the patch using syspatch. 3. Reboot the system to load the patched kernel.
🔧 Temporary Workarounds
Disable NFS services
allTemporarily disable NFS client and server to eliminate attack surface
rcctl stop portmap
rcctl stop nfsd
rcctl disable nfsd
rcctl disable portmap
Restrict NFS network access
allUse firewall rules to limit NFS access to trusted networks only
pfctl -t nfs_trusted -T add 192.168.1.0/24
echo 'block in proto tcp from any to any port 111,2049' >> /etc/pf.conf
echo 'pass in proto tcp from <nfs_trusted> to any port 111,2049' >> /etc/pf.conf
pfctl -f /etc/pf.conf
🧯 If You Can't Patch
- Disable NFS services completely if not required
- Implement strict network segmentation and firewall rules to isolate NFS traffic
🔍 How to Verify
Check if Vulnerable:
Check OpenBSD version and errata level: sysctl kern.versionCheck Version:
sysctl kern.versionVerify Fix Applied:
Verify errata is applied: syspatch -l | grep -E '008|021'📡 Detection & Monitoring
Log Indicators:
- Kernel panic messages related to mbuf or NFS
- Unexpected NFS connection attempts from unknown sources
- Multiple NFS request failures
Network Indicators:
- Unusual NFS traffic patterns
- Connection attempts to NFS ports from unexpected sources
SIEM Query:
source="openbsd" AND ("panic" OR "mbuf" OR "double free") OR dest_port IN (111, 2049) AND src_ip NOT IN (trusted_networks)