CVE-2024-48911 – OpenCanary versions before 0.9.4 have a privile... (How to Fix)

Q: What is the severity of CVE-2024-48911?

CVE-2024-48911 has a CVSS score of 7.8 (HIGH). OpenCanary versions before 0.9.4 have a privilege escalation vulnerability where an unprivileged user can modify the configuration file, which is then executed with root privileges when the daemon starts. This allows local attackers to execute arbitrary commands as root. Only systems running OpenCanary with the daemon started by root are affected.

📋 TL;DR

OpenCanary versions before 0.9.4 have a privilege escalation vulnerability where an unprivileged user can modify the configuration file, which is then executed with root privileges when the daemon starts. This allows local attackers to execute arbitrary commands as root. Only systems running OpenCanary with the daemon started by root are affected.

💻 Affected Systems

Products:

OpenCanary

Versions: All versions before 0.9.4

Operating Systems: Linux, Unix-like systems

Default Config Vulnerable: ⚠️ Yes

Notes: Only vulnerable when OpenCanary daemon runs as root and config file is in an unprivileged user directory.

📦 What is this software?

Opencanary by Thinkst

View all CVEs affecting Opencanary →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full root compromise of the system, allowing complete control, data theft, and lateral movement.

🟠

Likely Case

Local privilege escalation to root, enabling installation of backdoors, persistence mechanisms, or further attacks.

🟢

If Mitigated

No impact if proper file permissions prevent unprivileged users from modifying the config file.

🌐 Internet-Facing: LOW - This is a local privilege escalation requiring existing user access.

🏢 Internal Only: HIGH - Any local user with access to the OpenCanary config directory can exploit this.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires local user access and ability to modify config file. The vulnerability is straightforward to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.9.4

Vendor Advisory: https://github.com/thinkst/opencanary/security/advisories/GHSA-pf5v-pqfv-x8jj

Restart Required: Yes

Instructions:

1. Stop OpenCanary service. 2. Update to version 0.9.4 via pip: 'pip install --upgrade opencanary==0.9.4'. 3. Restart OpenCanary service.

🔧 Temporary Workarounds

Secure config file permissions

linux

Set strict permissions on OpenCanary config file to prevent modification by unprivileged users.

chmod 600 /path/to/opencanary.conf
chown root:root /path/to/opencanary.conf

Run OpenCanary as non-root user

linux

Configure OpenCanary to run as a dedicated non-root user with minimal privileges.

useradd -r -s /bin/false opencanary
chown -R opencanary:opencanary /etc/opencanary/

🧯 If You Can't Patch

Move config file to root-owned directory with strict permissions (e.g., /etc/opencanary/).
Monitor config file for unauthorized changes using file integrity monitoring tools.

🔍 How to Verify

Check if Vulnerable:

Check OpenCanary version: 'opencanaryd --version' or 'pip show opencanary'. If version is below 0.9.4, system is vulnerable.

Check Version:

opencanaryd --version || pip show opencanary | grep Version

Verify Fix Applied:

Confirm version is 0.9.4 or higher: 'opencanaryd --version' should show 0.9.4+. Verify config file permissions: 'ls -la /path/to/opencanary.conf' should show root ownership and 600 permissions.

📡 Detection & Monitoring

Log Indicators:

Unexpected changes to OpenCanary config file in system logs
OpenCanary process spawning unexpected child processes
Authentication logs showing privilege escalation attempts

Network Indicators:

Unusual outbound connections from OpenCanary host
Traffic patterns inconsistent with honeypot expected behavior

SIEM Query:

source="*opencanary*" AND (event_type="config_change" OR process_name="sudo" OR user="root")

📊 Metadata

CVE ID: CVE-2024-48911

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: October 14, 2024

Last Updated: October 17, 2024

🔗 References

https://github.com/thinkst/opencanary/commit/2c11575b1a3dd8b0df26a879ba856c0aa350c049 Patch
https://github.com/thinkst/opencanary/releases/tag/v0.9.4 Release Notes
https://github.com/thinkst/opencanary/security/advisories/GHSA-pf5v-pqfv-x8jj Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-48911, you might also want to check these: