CVE-2024-3049
📋 TL;DR
This vulnerability in Booth cluster ticket manager allows an attacker to bypass HMAC validation by providing a specially-crafted hash to gcry_md_get_algo_dlen(). This could enable unauthorized access or ticket manipulation in Booth server deployments. Systems running vulnerable versions of Booth are affected.
💻 Affected Systems
- Booth cluster ticket manager
📦 What is this software?
Booth by Clusterlabs
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems →
Enterprise Linux For Ibm Z Systems Eus by Redhat
View all CVEs affecting Enterprise Linux For Ibm Z Systems Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
Enterprise Linux For Power Little Endian Eus by Redhat
View all CVEs affecting Enterprise Linux For Power Little Endian Eus →
⚠️ Risk & Real-World Impact
Worst Case
An attacker could bypass authentication and gain unauthorized access to cluster management functions, potentially disrupting cluster operations or manipulating ticket assignments.
Likely Case
Unauthorized ticket validation leading to improper cluster node participation or resource allocation issues.
If Mitigated
With proper network segmentation and access controls, impact would be limited to the Booth service itself without broader cluster compromise.
🎯 Exploit Status
Exploitation requires understanding of Booth protocol and ability to craft specific hash values to trigger the gcry_md_get_algo_dlen() flaw.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check specific Red Hat advisories for patched versions
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:3657
Restart Required: Yes
Instructions:
1. Identify affected Booth packages. 2. Apply updates via yum update booth* or dnf update booth*. 3. Restart Booth services. 4. Verify patch application.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to Booth server ports (default 9929/tcp) to only trusted cluster nodes.
iptables -A INPUT -p tcp --dport 9929 -s trusted_node_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 9929 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Booth servers from untrusted networks
- Monitor Booth server logs for unusual authentication attempts or hash validation failures
🔍 How to Verify
Check if Vulnerable:
Check Booth package version: rpm -q booth or dpkg -l | grep boothCheck Version:
rpm -q booth --queryformat '%{VERSION}-%{RELEASE}\n'Verify Fix Applied:
Verify updated package version and restart Booth service: systemctl restart boothd📡 Detection & Monitoring
Log Indicators:
- Unusual HMAC validation failures in Booth logs
- Multiple authentication attempts from single source
- Invalid hash length errors
Network Indicators:
- Unusual traffic patterns to Booth port 9929
- Multiple connection attempts with varying hash payloads
SIEM Query:
source="booth.log" AND ("HMAC" OR "validation" OR "gcry_md") AND ("fail" OR "error" OR "invalid")🔗 References
- https://access.redhat.com/errata/RHSA-2024:3657
- https://access.redhat.com/errata/RHSA-2024:3658
- https://access.redhat.com/errata/RHSA-2024:3659
- https://access.redhat.com/errata/RHSA-2024:3660
- https://access.redhat.com/errata/RHSA-2024:3661
- https://access.redhat.com/errata/RHSA-2024:4400
- https://access.redhat.com/errata/RHSA-2024:4411
- https://access.redhat.com/security/cve/CVE-2024-3049
- https://bugzilla.redhat.com/show_bug.cgi?id=2272082
- https://github.com/ClusterLabs/booth/pull/142
- https://access.redhat.com/errata/RHSA-2024:3657
- https://access.redhat.com/errata/RHSA-2024:3658
- https://access.redhat.com/errata/RHSA-2024:3659
- https://access.redhat.com/errata/RHSA-2024:3660
- https://access.redhat.com/errata/RHSA-2024:3661
- https://access.redhat.com/errata/RHSA-2024:4400
- https://access.redhat.com/errata/RHSA-2024:4411
- https://access.redhat.com/security/cve/CVE-2024-3049
- https://bugzilla.redhat.com/show_bug.cgi?id=2272082
- https://lists.debian.org/debian-lts-announce/2024/09/msg00037.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ERCFM3HXFJKLEMMWU3CZLPKH5LZAEDAN/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/KPK5BHYOB7CFFRQAN55YV5LH44PWHMQD/
