CVE-2024-34477
📋 TL;DR
CVE-2024-34477 is a local privilege escalation vulnerability in FOG Project's configureNFS function that allows authenticated local users to gain root privileges by mounting a malicious NFS share. The vulnerability exists due to insecure NFS mount options (no_root_squash) that enable execution of arbitrary code with elevated privileges. This affects all FOG Project deployments up to version 1.5.10.
💻 Affected Systems
- FOG Project
📦 What is this software?
Fogproject by Fogproject
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full root access to the FOG server, enabling complete system compromise, data theft, and persistence establishment.
Likely Case
Privileged local user escalates to root to install backdoors, modify system configurations, or access sensitive data.
If Mitigated
Attack requires local access and specific conditions; impact limited if proper access controls and monitoring are in place.
🎯 Exploit Status
Exploit requires local access, ability to mount NFS shares, and setting SUID bit on crafted executable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.11 or later
Vendor Advisory: https://forums.fogproject.org/topic/17486/fog-1-5-10-and-earlier-nfs-privilege-escalation-vulnerability
Restart Required: No
Instructions:
1. Update FOG Project to version 1.5.11 or later. 2. Run the FOG installer to apply fixes. 3. Verify NFS configuration no longer uses insecure options.
🔧 Temporary Workarounds
Disable NFS mounting for non-root users
linuxPrevent local users from mounting NFS shares by restricting mount permissions.
chmod 700 /bin/mount
chmod 700 /sbin/mount.nfs
Remove SUID binaries from NFS shares
linuxAudit and remove any SUID binaries on NFS-mounted directories.
find /path/to/nfs/mount -type f -perm -4000 -exec chmod u-s {} \;
🧯 If You Can't Patch
- Restrict local user access to FOG server to only trusted administrators.
- Implement strict monitoring of NFS mount operations and SUID binary creation.
🔍 How to Verify
Check if Vulnerable:
Check FOG version: cat /opt/fog/.fogsettings | grep version. If version <= 1.5.10, check NFS configuration in /etc/exports for 'no_root_squash' option.Check Version:
cat /opt/fog/.fogsettings | grep 'fog_version'Verify Fix Applied:
Verify FOG version is 1.5.11 or later and check that NFS exports no longer contain 'no_root_squash' or 'insecure' options.📡 Detection & Monitoring
Log Indicators:
- Unusual NFS mount operations by non-root users
- Creation of SUID binaries in NFS-mounted directories
- Failed privilege escalation attempts in system logs
Network Indicators:
- Unexpected NFS traffic from client systems
- NFS mount requests from unauthorized IPs
SIEM Query:
source="systemd" AND "mount" AND "nfs" AND user!="root"🔗 References
- https://blog.hackvens.fr/advisories/CVE-2024-34477-Fogproject.html
- https://forums.fogproject.org/topic/17486/fog-1-5-10-and-earlier-nfs-privilege-escalation-vulnerability
- https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/lib/common/functions.sh#L1360
- https://blog.hackvens.fr/advisories/CVE-2024-34477-Fogproject.html
- https://forums.fogproject.org/topic/17486/fog-1-5-10-and-earlier-nfs-privilege-escalation-vulnerability
- https://github.com/FOGProject/fogproject/blob/a4bb1bf39ac53c3cbe623576915fbc3b5c80a00f/lib/common/functions.sh#L1360
