CVE-2024-47742: Vulnerability in Linux Linux
In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously.
AI Analysis
Technical Summary
CVE-2024-47742 is a vulnerability identified in the Linux kernel's firmware loader component, specifically related to path traversal attacks. The firmware loader is responsible for loading firmware files required by various hardware devices. The vulnerability arises because certain firmware file names are constructed using strings that originate from device descriptors or semi-privileged userspace inputs without sufficient validation. This allows an attacker to potentially craft firmware file names containing ".." path components, enabling directory traversal and unauthorized access to files outside the intended firmware directory. The kernel code paths affected include firmware file name construction in lpfc_sli4_request_firmware_update(), which uses a model name parsed from device Vital Product Data; nfp_net_fw_find(), which uses a model name from hardware info descriptors; and module_flash_fw_schedule(), which can be triggered via the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command requiring CAP_NET_ADMIN privileges in a user namespace. The vulnerability is mitigated by rejecting any firmware names containing ".." components, preventing directory traversal. The researcher notes that USB device drivers do not appear to use the firmware loader in a way that exposes this vulnerability. Exploitation requires some level of privilege, such as CAP_NET_ADMIN in a network namespace for certain paths, limiting the attack surface. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to systems running vulnerable Linux kernel versions that handle firmware updates via the affected code paths. Successful exploitation could allow an attacker with limited privileges (e.g., CAP_NET_ADMIN in a user namespace) to perform path traversal attacks, potentially leading to unauthorized file access or firmware manipulation. This could compromise system integrity by loading malicious firmware or accessing sensitive files, potentially causing device malfunction or persistent compromise. Confidentiality could be impacted if unauthorized file reads occur. Availability impacts are possible if firmware updates are corrupted or devices fail. However, the requirement for specific privileges and the constrained attack vectors reduce the likelihood of widespread exploitation. Organizations relying on Linux-based infrastructure with network devices using lpfc or nfp drivers, or those allowing user namespaces with CAP_NET_ADMIN, should be particularly cautious. Industrial control systems, telecom infrastructure, and data centers using such hardware could be affected. The absence of known exploits and the patch availability reduce immediate risk but timely patching is critical to prevent future exploitation.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-47742 as soon as they become available from your Linux distribution vendor. 2. Audit and restrict CAP_NET_ADMIN capabilities in user namespaces to only trusted users and processes, minimizing the risk of privilege escalation or misuse. 3. Monitor and control firmware update mechanisms, especially for devices using lpfc and nfp drivers, ensuring firmware file names are validated and sanitized. 4. Implement strict access controls and logging around netlink commands such as ETHTOOL_MSG_MODULE_FW_FLASH_ACT to detect and prevent unauthorized firmware flashing attempts. 5. Conduct regular security assessments of network namespaces and container environments to ensure no unnecessary privileges are granted. 6. Educate system administrators about this vulnerability and the importance of validating firmware sources and update procedures. 7. For critical infrastructure, consider additional runtime integrity monitoring of firmware and device behavior to detect anomalies potentially caused by malicious firmware loading.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Finland, Poland, Belgium
CVE-2024-47742: Vulnerability in Linux Linux
Description
In the Linux kernel, the following vulnerability has been resolved: firmware_loader: Block path traversal Most firmware names are hardcoded strings, or are constructed from fairly constrained format strings where the dynamic parts are just some hex numbers or such. However, there are a couple codepaths in the kernel where firmware file names contain string components that are passed through from a device or semi-privileged userspace; the ones I could find (not counting interfaces that require root privileges) are: - lpfc_sli4_request_firmware_update() seems to construct the firmware filename from "ModelName", a string that was previously parsed out of some descriptor ("Vital Product Data") in lpfc_fill_vpd() - nfp_net_fw_find() seems to construct a firmware filename from a model name coming from nfp_hwinfo_lookup(pf->hwinfo, "nffw.partno"), which I think parses some descriptor that was read from the device. (But this case likely isn't exploitable because the format string looks like "netronome/nic_%s", and there shouldn't be any *folders* starting with "netronome/nic_". The previous case was different because there, the "%s" is *at the start* of the format string.) - module_flash_fw_schedule() is reachable from the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command, which is marked as GENL_UNS_ADMIN_PERM (meaning CAP_NET_ADMIN inside a user namespace is enough to pass the privilege check), and takes a userspace-provided firmware name. (But I think to reach this case, you need to have CAP_NET_ADMIN over a network namespace that a special kind of ethernet device is mapped into, so I think this is not a viable attack path in practice.) Fix it by rejecting any firmware names containing ".." path components. For what it's worth, I went looking and haven't found any USB device drivers that use the firmware loader dangerously.
AI-Powered Analysis
Technical Analysis
CVE-2024-47742 is a vulnerability identified in the Linux kernel's firmware loader component, specifically related to path traversal attacks. The firmware loader is responsible for loading firmware files required by various hardware devices. The vulnerability arises because certain firmware file names are constructed using strings that originate from device descriptors or semi-privileged userspace inputs without sufficient validation. This allows an attacker to potentially craft firmware file names containing ".." path components, enabling directory traversal and unauthorized access to files outside the intended firmware directory. The kernel code paths affected include firmware file name construction in lpfc_sli4_request_firmware_update(), which uses a model name parsed from device Vital Product Data; nfp_net_fw_find(), which uses a model name from hardware info descriptors; and module_flash_fw_schedule(), which can be triggered via the ETHTOOL_MSG_MODULE_FW_FLASH_ACT netlink command requiring CAP_NET_ADMIN privileges in a user namespace. The vulnerability is mitigated by rejecting any firmware names containing ".." components, preventing directory traversal. The researcher notes that USB device drivers do not appear to use the firmware loader in a way that exposes this vulnerability. Exploitation requires some level of privilege, such as CAP_NET_ADMIN in a network namespace for certain paths, limiting the attack surface. No known exploits are currently reported in the wild, and no CVSS score has been assigned yet.
Potential Impact
For European organizations, this vulnerability poses a moderate risk primarily to systems running vulnerable Linux kernel versions that handle firmware updates via the affected code paths. Successful exploitation could allow an attacker with limited privileges (e.g., CAP_NET_ADMIN in a user namespace) to perform path traversal attacks, potentially leading to unauthorized file access or firmware manipulation. This could compromise system integrity by loading malicious firmware or accessing sensitive files, potentially causing device malfunction or persistent compromise. Confidentiality could be impacted if unauthorized file reads occur. Availability impacts are possible if firmware updates are corrupted or devices fail. However, the requirement for specific privileges and the constrained attack vectors reduce the likelihood of widespread exploitation. Organizations relying on Linux-based infrastructure with network devices using lpfc or nfp drivers, or those allowing user namespaces with CAP_NET_ADMIN, should be particularly cautious. Industrial control systems, telecom infrastructure, and data centers using such hardware could be affected. The absence of known exploits and the patch availability reduce immediate risk but timely patching is critical to prevent future exploitation.
Mitigation Recommendations
1. Apply the latest Linux kernel patches that address CVE-2024-47742 as soon as they become available from your Linux distribution vendor. 2. Audit and restrict CAP_NET_ADMIN capabilities in user namespaces to only trusted users and processes, minimizing the risk of privilege escalation or misuse. 3. Monitor and control firmware update mechanisms, especially for devices using lpfc and nfp drivers, ensuring firmware file names are validated and sanitized. 4. Implement strict access controls and logging around netlink commands such as ETHTOOL_MSG_MODULE_FW_FLASH_ACT to detect and prevent unauthorized firmware flashing attempts. 5. Conduct regular security assessments of network namespaces and container environments to ensure no unnecessary privileges are granted. 6. Educate system administrators about this vulnerability and the importance of validating firmware sources and update procedures. 7. For critical infrastructure, consider additional runtime integrity monitoring of firmware and device behavior to detect anomalies potentially caused by malicious firmware loading.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Linux
- Date Reserved
- 2024-09-30T16:00:12.959Z
- Cisa Enriched
- true
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 682d9825c4522896dcbe0683
Added to database: 5/21/2025, 9:08:53 AM
Last enriched: 6/28/2025, 8:24:40 PM
Last updated: 8/1/2025, 12:20:23 AM
Views: 15
Related Threats
Researcher to release exploit for full auth bypass on FortiWeb
HighCVE-2025-9091: Hard-coded Credentials in Tenda AC20
LowCVE-2025-9090: Command Injection in Tenda AC20
MediumCVE-2025-9092: CWE-400 Uncontrolled Resource Consumption in Legion of the Bouncy Castle Inc. Bouncy Castle for Java - BC-FJA 2.1.0
LowCVE-2025-9089: Stack-based Buffer Overflow in Tenda AC20
HighActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.