CVE-2024-10397: 
Linux Debian vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-10397) was discovered in OpenAFS affecting versions 1.0 through 1.6.24, 1.8.0 through 1.8.12.2, and 1.9.0 through 1.9.1. The vulnerability allows a malicious server to crash the OpenAFS cache manager and other client utilities, with the potential for arbitrary code execution. The issue was disclosed on November 12, 2024, and involves preallocated buffer overflows in XDR responses (OpenAFS Advisory).

The vulnerability stems from RPCs in OpenAFS that return dynamically-sized strings, buffers, and arrays in output arguments. The XDR-marshalling routines fail to verify if the supplied memory is adequate for storing results. When callers provide preallocated buffers smaller than the RPC interface-defined limit, server responses exceeding the buffer capacity can trigger buffer overflows. The vulnerability has received a CVSS 4.0 score of 7.7 (HIGH) with the vector string CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (OpenAFS Advisory).

The impact varies based on local configuration. For Unix cache managers, the vulnerability can result in kernel crashes or potential arbitrary code execution in kernel mode. On Solaris kernel clients, it can trigger system panics or memory corruption. Utility programs like 'pts' and 'vos' are also vulnerable to buffer overflows. The vulnerability is particularly concerning when the afsd daemon runs with '-afsdb -dynroot' options, allowing unprivileged local users to contact malicious cells via /afs/ (OpenAFS Advisory).

The OpenAFS project recommends upgrading all affected clients and utilities to OpenAFS version 1.6.25 or 1.8.13. For those unable to upgrade, security patches are available. Additional mitigation strategies include running afsd without the -dynroot/-dynroot-sparse options to prevent exploitation by unprivileged processes, and disabling the -afsdb option to prevent exploitation by local processes (OpenAFS Advisory).