CVE-2024-28085
Published: 27 March 2024
Summary
CVE-2024-28085 is a low-severity Improper Neutralization of Escape, Meta, or Control Sequences (CWE-150) vulnerability in Kernel Util-Linux. Its CVSS base score is 3.3 (Low).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability affects the wall utility in util-linux versions through 2.40. When wall is installed with setgid tty permissions, it fails to sanitize escape sequences supplied via command-line arguments (argv), even though sequences received from stdin are blocked. This stems from improper handling of untrusted input as described under CWE-150 and carries a low CVSS score of 3.3.
A local attacker with access to execute wall can supply crafted escape sequences on the command line to write directly to other users' terminals. In plausible configurations this can be leveraged to manipulate terminal state or capture input, potentially resulting in account takeover.
The EPSS score remains low, with a current value of 0.1093 and a peak of 0.1274; the modest movement does not indicate material post-disclosure interest. Public discussion of the issue appears in oss-security mailing list threads from March 2024, though no specific patch or mitigation details are provided in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-25252
Vulnerability details
wall in util-linux through 2.40, often installed with setgid tty permissions, allows escape sequences to be sent to other users' terminals through argv. (Specifically, escape sequences received from stdin are blocked, but escape sequences received from argv are not blocked.)…
more
There may be plausible scenarios where this leads to account takeover.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.