CVE-2024-41954
📋 TL;DR
CVE-2024-41954 is an information disclosure vulnerability in FOG Project where plaintext service account credentials are stored in a world-readable configuration file. Any local user on the host can read these credentials, potentially allowing them to create unauthorized web application accounts or perform other malicious actions. This affects all FOG Project installations with versions before 1.5.10.41.
💻 Affected Systems
- FOG Project
📦 What is this software?
Fogproject by Fogproject
⚠️ Risk & Real-World Impact
Worst Case
An attacker gains administrative access to the FOG web interface, creates persistent backdoor accounts, manipulates system configurations, and potentially compromises connected client systems through the imaging/cloning functionality.
Likely Case
Local privilege escalation where a low-privileged user reads credentials and gains unauthorized access to the FOG web application, potentially modifying system settings or accessing sensitive inventory data.
If Mitigated
Limited impact if file permissions are properly restricted and network access controls prevent unauthorized connections to the FOG service.
🎯 Exploit Status
Exploitation requires local access to read the file, but the attack is trivial once file access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.5.10.41
Vendor Advisory: https://github.com/FOGProject/fogproject/security/advisories/GHSA-pcqm-h8cx-282c
Restart Required: No
Instructions:
1. Backup current configuration. 2. Update FOG Project to version 1.5.10.41 or later using your package manager or from source. 3. Verify the .fogsettings file permissions are now restricted.
🔧 Temporary Workarounds
Restrict file permissions
linuxChange permissions on the .fogsettings file to prevent world-readable access
sudo chmod 600 /opt/fog/.fogsettings
sudo chown root:root /opt/fog/.fogsettings
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the FOG server locally
- Monitor for unauthorized access attempts to the .fogsettings file and FOG web interface
🔍 How to Verify
Check if Vulnerable:
Check if /opt/fog/.fogsettings exists and has world-readable permissions: ls -la /opt/fog/.fogsettingsCheck Version:
cat /opt/fog/version 2>/dev/null || fog --version 2>/dev/null || dpkg -l | grep fogVerify Fix Applied:
Verify file permissions are restricted (should show -rw-------) and check FOG version is 1.5.10.41 or higher📡 Detection & Monitoring
Log Indicators:
- Failed authentication attempts to FOG web interface from unexpected users
- Unauthorized file access attempts to /opt/fog/.fogsettings
Network Indicators:
- Unusual connections to FOG web interface from internal hosts
- Multiple failed login attempts followed by successful logins from new accounts
SIEM Query:
source="fog.log" AND ("authentication failed" OR "new user created")