CVE-2024-42018

An issue was discovered in Atos Eviden SMC xScale before 1.6.6. During initialization of nodes, some configuration parameters are retrieved from management nodes. These parameters embed credentials whose integrity and confidentiality may be important to the security of the HPC configuration. Because these parameters are needed for initialization, there is no available mechanism to ensure access control on the management node, and a mitigation measure is normally put in place to prevent access to unprivileged users. It was discovered that this mitigation measure does not survive a reboot of diskful nodes. (Diskless nodes are not at risk.) The mistake lies in the cloudinit configuration: the iptables configuration should have been in the bootcmd instead of the runcmd section.

CVSS v3 7.7 HIGH

7.7^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.1 / Impact : 4.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://eviden.com
https://support.bull.com/ols/product/security/psirt/security-bulletins/misconfiguration-of-smc-xscale-leads-to-sensitive-data-exposure-psirt-1369-tlp-clear-version-2-6-cve-2024-42018/view

Configurations

No configuration.

History

No history.

Information

Published : 2024-10-11 17:15

Updated : 2024-11-06 20:35

NVD link : CVE-2024-42018

Mitre link : CVE-2024-42018

CVE.ORG link : CVE-2024-42018

JSON object : View

Products Affected

No product.

CWE

CWE-922

Insecure Storage of Sensitive Information

{"id": "CVE-2024-42018", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 4.0, "exploitabilityScore": 3.1}]}, "published": "2024-10-11T17:15:03.573", "references": [{"url": "https://eviden.com", "source": "cve@mitre.org"}, {"url": "https://support.bull.com/ols/product/security/psirt/security-bulletins/misconfiguration-of-smc-xscale-leads-to-sensitive-data-exposure-psirt-1369-tlp-clear-version-2-6-cve-2024-42018/view", "source": "cve@mitre.org"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-922"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in Atos Eviden SMC xScale before 1.6.6. During initialization of nodes, some configuration parameters are retrieved from management nodes. These parameters embed credentials whose integrity and confidentiality may be important to the security of the HPC configuration. Because these parameters are needed for initialization, there is no available mechanism to ensure access control on the management node, and a mitigation measure is normally put in place to prevent access to unprivileged users. It was discovered that this mitigation measure does not survive a reboot of diskful nodes. (Diskless nodes are not at risk.) The mistake lies in the cloudinit configuration: the iptables configuration should have been in the bootcmd instead of the runcmd section."}, {"lang": "es", "value": "Se descubri\u00f3 un problema en Atos Eviden SMC xScale antes de la versi\u00f3n 1.6.6. Durante la inicializaci\u00f3n de los nodos, se recuperan algunos par\u00e1metros de configuraci\u00f3n de los nodos de administraci\u00f3n. Estos par\u00e1metros incorporan credenciales cuya integridad y confidencialidad pueden ser importantes para la seguridad de la configuraci\u00f3n de HPC. Debido a que estos par\u00e1metros son necesarios para la inicializaci\u00f3n, no hay ning\u00fan mecanismo disponible para garantizar el control de acceso en el nodo de administraci\u00f3n y normalmente se implementa una medida de mitigaci\u00f3n para evitar el acceso a usuarios sin privilegios. Se descubri\u00f3 que esta medida de mitigaci\u00f3n no sobrevive al reinicio de nodos con disco lleno. (Los nodos sin disco no corren riesgo). El error se encuentra en la configuraci\u00f3n de cloudinit: la configuraci\u00f3n de iptables deber\u00eda haber estado en la secci\u00f3n bootcmd en lugar de la secci\u00f3n runcmd."}], "lastModified": "2024-11-06T20:35:23.377", "sourceIdentifier": "cve@mitre.org"}