CVE-2024-6760
📋 TL;DR
This CVE-2024-6760 vulnerability allows unprivileged users to trace setuid programs due to a kernel tracing logic bug, enabling them to inspect program behavior and potentially read sensitive files like password databases. It affects FreeBSD systems with ktrace enabled. The bug bypasses security restrictions meant to prevent tracing of privileged programs.
💻 Affected Systems
- FreeBSD
- NetApp products using FreeBSD
📦 What is this software?
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
Freebsd by Freebsd
⚠️ Risk & Real-World Impact
Worst Case
Unprivileged local users could read sensitive system files like /etc/master.passwd, /etc/shadow, or other protected files, potentially leading to privilege escalation or credential theft.
Likely Case
Local attackers could trace setuid programs to gather sensitive information about system operations or user activities, potentially accessing restricted data.
If Mitigated
With ktrace disabled or proper access controls, the vulnerability has minimal impact as the tracing mechanism is not available.
🎯 Exploit Status
Exploitation requires local user access and knowledge of ktrace usage. The vulnerability is in the kernel's handling of setuid program tracing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: FreeBSD 13.2-RELEASE p6, FreeBSD 13.3-RELEASE p2, FreeBSD 14.0-RELEASE p3, FreeBSD 14.1-RELEASE p1
Vendor Advisory: https://security.freebsd.org/advisories/FreeBSD-SA-24:06.ktrace.asc
Restart Required: Yes
Instructions:
1. Update FreeBSD using freebsd-update fetch && freebsd-update install. 2. Reboot the system. 3. Verify the patch is applied with uname -a.
🔧 Temporary Workarounds
Disable ktrace
FreeBSDDisable kernel tracing functionality to prevent exploitation
sysctl kern.ktrace_request_pool=0
🧯 If You Can't Patch
- Disable ktrace using sysctl kern.ktrace_request_pool=0
- Restrict user access to systems and monitor for unauthorized tracing activities
🔍 How to Verify
Check if Vulnerable:
Check FreeBSD version with uname -a and verify if ktrace is enabled with sysctl kern.ktrace_request_poolCheck Version:
uname -aVerify Fix Applied:
Verify FreeBSD version is patched (13.2-RELEASE p6+, 13.3-RELEASE p2+, 14.0-RELEASE p3+, 14.1-RELEASE p1+) and test ktrace functionality on setuid programs📡 Detection & Monitoring
Log Indicators:
- Unusual ktrace activity on setuid programs
- Failed attempts to trace privileged processes
Network Indicators:
- None - this is a local vulnerability
SIEM Query:
process.name:ktrace AND process.parent.name:setuid_program