Cyber Resilience

CVE-2024-3056

HighDDoS

Published: 02 August 2024

Published
02 August 2024
Modified
27 December 2024
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:N/A:H
EPSS Score 0.0036 58.3th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-3056 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Redhat Enterprise Linux. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique OS Exhaustion Flood (T1499.001); ranked in the top 41.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

A flaw was found in Podman. This issue may allow an attacker to create a specially crafted container that, when configured to share the same IPC with at least one other container, can create a large number of IPC resources…

more

in /dev/shm. The malicious container will continue to exhaust resources until it is out-of-memory (OOM) killed. While the malicious container's cgroup will be removed, the IPC resources it created are not. Those resources are tied to the IPC namespace that will not be removed until all containers using it are stopped, and one non-malicious container is holding the namespace open. The malicious container is restarted, either automatically or by attacker control, repeating the process and increasing the amount of memory consumed. With a container configured to restart always, such as `podman run --restart=always`, this can result in a memory-based denial of service of the system.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.001 OS Exhaustion Flood Impact
Adversaries may launch a denial of service (DoS) attack targeting an endpoint's operating system (OS).
Why these techniques?

The Podman vulnerability enables persistent memory exhaustion via creation of excessive IPC resources in shared namespaces across container restarts, facilitating OS Exhaustion Flood.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

Affected Assets

podman project
podman
≤ 5.2.0
redhat
openshift container platform
4.0
redhat
enterprise linux
8.0, 9.0
fedoraproject
fedora
40

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-400

Limiting concurrent sessions directly prevents uncontrolled resource consumption by capping the number of active sessions per user or account.

addresses: CWE-400

Analysis identifies uncontrolled resource consumption indicative of denial-of-service or abuse attempts.

addresses: CWE-400

Contingency plan testing includes resource exhaustion scenarios to verify recovery, making it harder for attackers to sustain exploits that cause uncontrolled consumption.

addresses: CWE-400

Updated contingency plans include current procedures to detect, contain, and recover from resource exhaustion, limiting an attacker's ability to sustain impact from uncontrolled consumption.

addresses: CWE-400

Alternate site allows resumption of operations if resource exhaustion at the primary site is exploited to cause unavailability.

addresses: CWE-400

Alternate telecommunications services enable resumption of essential functions when primary services become unavailable due to uncontrolled resource consumption.

addresses: CWE-400

The team can analyze and respond to resource exhaustion incidents, reducing the impact of attacks that exploit uncontrolled consumption weaknesses.

addresses: CWE-400

Timely maintenance support and spare parts enable rapid recovery from failures induced by uncontrolled resource consumption, shortening the impact window of denial-of-service attacks.

References