CVE-2024-27060
📋 TL;DR
A NULL pointer dereference vulnerability in the Linux kernel's Thunderbolt subsystem allows local attackers to cause a kernel panic (denial of service) when connecting certain Thunderbolt 1 devices. This affects systems with Thunderbolt support enabled in the kernel. The vulnerability occurs specifically when devices with only one lane adapter are connected.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Kernel panic leading to system crash and denial of service, potentially causing data loss or service disruption.
Likely Case
System crash when connecting Thunderbolt 1 devices with single lane adapters, requiring reboot to restore functionality.
If Mitigated
No impact if Thunderbolt is disabled or vulnerable kernel versions are not used.
🎯 Exploit Status
Exploitation requires physical access to connect Thunderbolt device or local user with Thunderbolt port access. No authentication bypass needed beyond physical/local access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Patched in stable kernel versions via commits: 440fba897c5ae32d7df1f1d609dbb19e2bba7fbb, ce64ba1f6ec3439e4b4d880b4db99673f4507228, d3d17e23d1a0d1f959b4fa55b35f1802d9c584fa
Vendor Advisory: https://git.kernel.org/stable/c/440fba897c5ae32d7df1f1d609dbb19e2bba7fbb
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version. 2. Check distribution-specific security advisories. 3. Reboot system after kernel update.
🔧 Temporary Workarounds
Disable Thunderbolt support
linuxDisable Thunderbolt kernel module to prevent vulnerability trigger
echo 'blacklist thunderbolt' >> /etc/modprobe.d/blacklist-thunderbolt.conf
update-initramfs -u
reboot
Restrict Thunderbolt device connections
linuxUse Thunderbolt security levels to restrict unauthorized device connections
echo 1 > /sys/bus/thunderbolt/devices/0-0/authorized
🧯 If You Can't Patch
- Physically disable Thunderbolt ports if possible
- Implement strict physical access controls to prevent unauthorized Thunderbolt device connections
🔍 How to Verify
Check if Vulnerable:
Check kernel version and Thunderbolt module loading: 'lsmod | grep thunderbolt' and 'uname -r'Check Version:
uname -rVerify Fix Applied:
Verify kernel version is updated to include fix commits, check Thunderbolt functionality with test devices📡 Detection & Monitoring
Log Indicators:
- Kernel panic logs mentioning 'NULL pointer dereference' in thunderbolt module
- System crash/reboot events after Thunderbolt device connection
Network Indicators:
- None - local vulnerability only
SIEM Query:
source="kernel" AND "NULL pointer dereference" AND "thunderbolt" OR source="system" AND event="crash" AND "Thunderbolt"🔗 References
- https://git.kernel.org/stable/c/440fba897c5ae32d7df1f1d609dbb19e2bba7fbb
- https://git.kernel.org/stable/c/ce64ba1f6ec3439e4b4d880b4db99673f4507228
- https://git.kernel.org/stable/c/d3d17e23d1a0d1f959b4fa55b35f1802d9c584fa
- https://git.kernel.org/stable/c/ce64ba1f6ec3439e4b4d880b4db99673f4507228
- https://git.kernel.org/stable/c/d3d17e23d1a0d1f959b4fa55b35f1802d9c584fa
