CVE-2024-2905 identifies a security vulnerability in rpm-ostree version 1.2024.4 where the /etc/shadow file, which stores hashed user passwords, is set with world-readable permissions by default in the system image builds. The /etc/shadow file is intended to be accessible only by privileged users (typically root) because it contains sensitive authentication data. The incorrect permission assignment (world-readable bit enabled) allows any local user on the system to read the file contents, exposing password hashes. This exposure does not directly allow remote exploitation or modification of the file but significantly compromises confidentiality by enabling attackers to perform offline password cracking attacks against user credentials. The vulnerability has a CVSS 3.1 base score of 6.2, reflecting medium severity due to local attack vector (AV:L), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and high confidentiality impact (C:H) but no impact on integrity or availability. No known exploits are currently reported in the wild, but the vulnerability arises from default build configurations in rpm-ostree, a tool used for managing immutable Linux operating system trees, notably in Fedora Silverblue and similar distributions. The root cause is an incorrect default permission setting during image assembly, which should be corrected to restrict access to /etc/shadow to root only. This vulnerability highlights the importance of secure default configurations in system images and the need for thorough permission audits in automated build processes.

The primary impact of CVE-2024-2905 is the unauthorized disclosure of sensitive authentication data stored in /etc/shadow. This can lead to offline password cracking attempts by any local user, potentially resulting in credential compromise and subsequent privilege escalation or lateral movement within affected systems. While the vulnerability does not allow direct modification or denial of service, the confidentiality breach can undermine system security and trust. Organizations relying on rpm-ostree for immutable OS deployments, especially in environments with multiple local users or untrusted personnel, face increased risk of insider threats or compromised accounts. The vulnerability could also facilitate targeted attacks against critical infrastructure or enterprise environments where rpm-ostree is deployed. Although remote exploitation is not feasible, the local nature of the vulnerability means attackers must already have some level of access, which could be gained through other means. The exposure of password hashes can also weaken overall security posture by enabling attackers to escalate privileges or pivot to other systems.

To mitigate CVE-2024-2905, organizations should immediately verify the permissions of the /etc/shadow file on all systems built or updated with rpm-ostree version 1.2024.4. The file permissions must be corrected to restrict access exclusively to the root user (typically mode 600 or 640 with appropriate group ownership). Administrators should audit and adjust the build configuration scripts or image assembly processes to ensure that default permissions for critical files like /etc/shadow are securely set before deployment. Applying vendor patches or updates addressing this issue as soon as they become available is essential. Additionally, organizations should implement strict local user access controls and monitoring to detect unauthorized access attempts. Employing multi-factor authentication and strong password policies can reduce the risk of successful offline password cracking. Regular security audits and compliance checks of immutable OS images can help prevent similar misconfigurations. Finally, educating system builders and administrators about secure default permissions in automated build environments is recommended to avoid recurrence.