CVE-2024-54159
📋 TL;DR
CVE-2024-54159 is a local privilege escalation vulnerability in stalld (Starving CPUs and Latency Daemon) that allows local users to overwrite arbitrary files via a symlink attack targeting /tmp/rtthrottle. This affects systems running stalld versions up to 1.19.7 where local users can create symlinks in /tmp.
💻 Affected Systems
- stalld (Starving CPUs and Latency Daemon)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Local attacker could overwrite critical system files (like /etc/passwd, /etc/shadow) leading to system compromise, privilege escalation, or permanent denial of service.
Likely Case
Local user causes denial of service by overwriting configuration files or creates persistence mechanisms through file manipulation.
If Mitigated
Minimal impact if proper file permissions and /tmp hardening are in place, limiting damage to non-critical files.
🎯 Exploit Status
Exploit requires local user access and ability to create symlinks in /tmp. Proof of concept details are publicly available in security advisories.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.19.8 and later
Vendor Advisory: https://security.opensuse.org/2024/11/29/stalld-fixed-tmp-file.html
Restart Required: Yes
Instructions:
1. Update stalld to version 1.19.8 or later using your package manager. 2. Restart the stalld service. 3. Verify the fix by checking the version and ensuring /tmp/rtthrottle symlink attacks are prevented.
🔧 Temporary Workarounds
Secure /tmp directory
linuxHarden /tmp directory permissions to prevent symlink attacks
chmod 1777 /tmp
mount -o remount,noexec,nosuid,nodev /tmp
Remove stalld if not needed
linuxUninstall stalld if the service is not required
systemctl stop stalld
apt remove stalld
yum remove stalld
zypper remove stalld
🧯 If You Can't Patch
- Restrict local user access to systems running stalld
- Implement strict file permissions and monitoring on /tmp directory
🔍 How to Verify
Check if Vulnerable:
Check stalld version: stalld --version. If version is 1.19.7 or earlier, system is vulnerable.Check Version:
stalld --versionVerify Fix Applied:
After updating, verify version is 1.19.8 or later and test that symlink creation in /tmp doesn't allow file overwrite by stalld.📡 Detection & Monitoring
Log Indicators:
- Failed file operations in /tmp directory
- Unexpected stalld process behavior
- Symlink creation attempts in /tmp
Network Indicators:
- None - this is a local attack
SIEM Query:
Process creation where parent process is stalld AND file operations in /tmp directory