CVE-2024-41184 – CVE-2024-41184 is an integer overflow vulnerabi... (How to Fix)

📋 TL;DR

CVE-2024-41184 is an integer overflow vulnerability in keepalived's vrrp_ipsets_handler that could lead to arbitrary code execution or denial of service. This affects keepalived installations through version 2.3.1 where users have configured empty ipset names. The vulnerability requires specific misconfiguration to be exploitable.

💻 Affected Systems

Products:

keepalived

Versions: through 2.3.1

Operating Systems: Linux

Default Config Vulnerable: ✅ No

Notes: Only vulnerable if users configure empty ipset names in keepalived configuration

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution with root privileges leading to complete system compromise

🟠

Likely Case

Denial of service causing keepalived service crashes and loss of high availability functionality

🟢

If Mitigated

No impact if empty ipset names are not configured

🌐 Internet-Facing: MEDIUM - Requires keepalived to be exposed and specifically misconfigured

🏢 Internal Only: MEDIUM - Same technical risk but limited to internal network exposure

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires specific misconfiguration (empty ipset names) and understanding of keepalived's internal structures

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.3.2 or later

Vendor Advisory: https://github.com/acassen/keepalived/issues/2447

Restart Required: Yes

Instructions:

1. Check current keepalived version: keepalived --version
2. Update using package manager: apt update && apt upgrade keepalived (Debian/Ubuntu) or yum update keepalived (RHEL/CentOS)
3. Verify version: keepalived --version
4. Restart keepalived service: systemctl restart keepalived

🔧 Temporary Workarounds

Remove empty ipset configurations

linux

Audit and remove any empty ipset name configurations from keepalived.conf

grep -i 'ipset' /etc/keepalived/keepalived.conf
Review configuration for empty ipset names and remove them

🧯 If You Can't Patch

Audit all keepalived configurations to ensure no empty ipset names are configured
Implement network segmentation to limit keepalived service exposure

🔍 How to Verify

Check if Vulnerable:

Check keepalived version and review configuration for empty ipset names: keepalived --version | grep -E '2\.3\.[0-1]' && grep -i 'ipset.*""' /etc/keepalived/keepalived.conf

Check Version:

keepalived --version | head -1

Verify Fix Applied:

Verify version is 2.3.2 or later: keepalived --version | grep -E '2\.3\.[2-9]|2\.[4-9]'

📡 Detection & Monitoring

Log Indicators:

Segmentation fault or crash logs from keepalived process
Unexpected keepalived service restarts

Network Indicators:

Loss of VRRP advertisements from affected systems
Unusual network traffic to keepalived ports

SIEM Query:

process.name:"keepalived" AND (event.action:"segmentation_fault" OR event.action:"crash")

📊 Metadata

CVE ID: CVE-2024-41184

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-190

Published: July 18, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-41184, you might also want to check these: