CVE-2024-38320
Published: 27 January 2025
Summary
CVE-2024-38320 is a medium-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Linux Linux Kernel. Its CVSS base score is 5.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked at the 20.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-28 (Protection of Information at Rest).
Deeper analysis
CVE-2024-38320 is a cryptographic weakness (CWE-327) in IBM Storage Protect for Virtual Environments: Data Protection for VMware and Storage Protect Backup-Archive Client, affecting versions 8.1.0.0 through 8.1.23.0. These components use weaker than expected cryptographic algorithms, potentially enabling an attacker to decrypt highly sensitive information. The vulnerability carries a CVSS v3.1 base score of 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating medium severity primarily due to high confidentiality impact.
An unauthenticated attacker (PR:N) can exploit this over the network (AV:N) without user interaction (UI:N), though it requires high attack complexity (AC:H). Exploitation yields high confidentiality impact (C:H), allowing decryption of sensitive data, with no effects on integrity, availability, or scope change.
IBM has published security bulletins detailing mitigations and patches at https://www.ibm.com/support/pages/node/7173462 and https://www.ibm.com/support/pages/node/7173465. Security practitioners should review these for upgrade instructions to address the weak algorithms.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-37103
Vulnerability details
IBM Storage Protect for Virtual Environments: Data Protection for VMware and Storage Protect Backup-Archive Client 8.1.0.0 through 8.1.23.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak crypto (CWE-327) directly enables decryption of protected sensitive data (e.g., credentials or secrets), mapping to unsecured credentials access.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mandates FIPS-validated cryptographic mechanisms to prevent decryption of sensitive information protected by weak algorithms as in CVE-2024-38320.
Requires timely identification, reporting, and correction of system flaws like CVE-2024-38320 through patching weak cryptographic implementations.
Implements cryptographic mechanisms to protect confidentiality of sensitive backup data at rest, directly countering weak algorithm vulnerabilities in storage protect software.