Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Fedora 42: Important Permission Issues in cloud-init with CVE-2024-6174

fedora
Calendar Grey July 30, 2025
Dist Fedora Esm H88
Updates addressing severe vulnerabilities in cloud-init involve permission modifications and root access problems within Fedora 42.
Backport fixes for CVE-2024-6174 and CVE-2024-11584 cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, mak...

Summary

Cloud-init is a set of init scripts for cloud instances. Cloud instances

need special scripts to run during initialization to retrieve and install

ssh keys and to let the user run various scripts.

Update Information:

Backport fixes for CVE-2024-6174 and CVE-2024-11584 cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world-writable. An unprivelege user could trigger hotplug-hook commands (CVE-2024-11584) When a non-x86 platform is detected, cloud-init granted root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration (CVE-2024-6174) Note that the fix for CVE-2024-6174 includes a change that may break non-x86 OpenStack Nova users. Affected users may wish to use ConfigDrive as a workaround

Topics%20covered

Topics Covered

security advisory fedora important permissions issue root access cloud-init

Change Log

* Mon Jul 21 2025 Jeremy Cline - 24.2-5 - Backport fixes for CVE-2024-6174 and CVE-2024-11584 - cloud-init included the systemd socket unit cloud-init-hotplugd.socket with default SocketMode that grants 0666 permissions, making it world- writable. An unprivelege user could trigger hotplug-hook commands (CVE-2024-11584)

References


[ 1 ] Bug #2375012 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2375012 [ 2 ] Bug #2375013 - CVE-2024-6174 cloud-init: From CVEorg collector [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2375013 [ 3 ] Bug #2375025 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-41] https://bugzilla.redhat.com/show_bug.cgi?id=2375025 [ 4 ] Bug #2375026 - CVE-2024-11584 cloud-init: From CVEorg collector [fedora-42] https://bugzilla.redhat.com/show_bug.cgi?id=2375026

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-b93ee7b368' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: cloud-init
Product: Fedora 42
Version: 24.2
Release: 5.fc42
URL: https://github.com/canonical/cloud-init
Summary: Cloud instance init scripts

Topics%20covered

Topics Covered

security advisory fedora important permissions issue root access cloud-init

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here