CVE-2024-46695
📋 TL;DR
A Linux kernel vulnerability allows root users on NFS clients to bypass security label restrictions on NFS filesystems exported with root squashing enabled. This affects systems using SELinux or Smack security modules with NFS exports configured with root squashing. The vulnerability enables unauthorized modification of file security contexts.
💻 Affected Systems
- Linux kernel
📦 What is this software?
Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →Linux Kernel by Linux
The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...
Learn more about Linux Kernel →⚠️ Risk & Real-World Impact
Worst Case
Root user on NFS client could modify security labels on protected files, potentially bypassing mandatory access controls and compromising system integrity.
Likely Case
Authorized root users on NFS clients could inadvertently or intentionally change security labels on files they shouldn't have access to modify.
If Mitigated
With proper network segmentation and NFS export restrictions, impact is limited to authorized administrative users within controlled environments.
🎯 Exploit Status
Exploitation requires root access on NFS client and specific NFS configuration. No public exploits known at this time.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Multiple stable kernel versions with commits: 2dbc4b7bac60b02cc6e70d05bf6a7dfd551f9dda, 459584258d47ec3cc6245a82e8a49c9d08eb8b57, 76a0e79bc84f466999fa501fce5bf7a07641b8a7, eebec98791d0137e455cc006411bb92a54250924, f71ec019257ba4f7ab198bd948c5902a207bad96
Vendor Advisory: https://git.kernel.org/stable/c/2dbc4b7bac60b02cc6e70d05bf6a7dfd551f9dda
Restart Required: Yes
Instructions:
1. Update Linux kernel to patched version from your distribution vendor. 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.
🔧 Temporary Workarounds
Disable root squashing on NFS exports
linuxRemove root squashing from NFS exports to prevent the bypass condition, though this reduces security.
Edit /etc/exports and remove 'root_squash' option from affected exports
Restrict NFS access
linuxLimit NFS access to trusted clients only and implement network segmentation.
Configure firewall rules to restrict NFS port access: iptables -A INPUT -p tcp --dport 2049 -s trusted_network -j ACCEPT
🧯 If You Can't Patch
- Implement strict network segmentation to isolate NFS traffic
- Monitor NFS access logs for unauthorized security label changes
🔍 How to Verify
Check if Vulnerable:
Check kernel version and if using NFS with root squashing and SELinux/Smack: uname -r and check /etc/exports for root_squashCheck Version:
uname -rVerify Fix Applied:
Verify kernel version is patched: uname -r should show version containing the fix commits📡 Detection & Monitoring
Log Indicators:
- Audit logs showing unexpected security label changes on NFS files
- NFS server logs showing root user operations from clients
Network Indicators:
- NFS traffic from unauthorized clients
- Unexpected NFS mount operations
SIEM Query:
source="audit.log" AND (event_type="SECCOMP" OR event_type="MAC" OR event_type="SELINUX") AND action="setxattr" AND path="/nfs/*"🔗 References
- https://git.kernel.org/stable/c/2dbc4b7bac60b02cc6e70d05bf6a7dfd551f9dda
- https://git.kernel.org/stable/c/459584258d47ec3cc6245a82e8a49c9d08eb8b57
- https://git.kernel.org/stable/c/76a0e79bc84f466999fa501fce5bf7a07641b8a7
- https://git.kernel.org/stable/c/eebec98791d0137e455cc006411bb92a54250924
- https://git.kernel.org/stable/c/f71ec019257ba4f7ab198bd948c5902a207bad96
- https://git.kernel.org/stable/c/fe0cd53791119f6287b6532af8ce41576d664930
- https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html
- https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html
