CVE-2024-10026 - Vulnerability Details - OpenCVE

A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact Low

Subsequent System Integrity Impact Low

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

No data.

No data.

No data.

References

Link	Providers
https://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2
https://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af
https://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56

History

Thu, 30 Jan 2025 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 30 Jan 2025 19:30:00 +0000

Type	Values Removed	Values Added
Description		A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.
Title		Improved Seeding and Hashing In gVisor
Weaknesses		CWE-328 CWE-339
References		https://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2 https://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af https://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56
Metrics		cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N'}`

MITRE

Status: PUBLISHED

Assigner: Google

Published: 2025-01-30T19:12:27.994Z

Updated: 2025-02-06T12:30:36.901Z

Reserved: 2024-10-16T08:04:54.647Z

Link: CVE-2024-10026

Vulnrichment

Updated: 2025-01-30T20:38:27.409Z

NVD

Status : Received

Published: 2025-01-30T20:15:32.600

Modified: 2025-01-30T20:15:32.600

Link: CVE-2024-10026

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-10026", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "state": "PUBLISHED", "assignerShortName": "Google", "dateReserved": "2024-10-16T08:04:54.647Z", "datePublished": "2025-01-30T19:12:27.994Z", "dateUpdated": "2025-02-06T12:30:36.901Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "gVisor", "repo": "https://github.com/google/gvisor", "vendor": "Google", "versions": [{"status": "unaffected", "version": "Release 20241028.0"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Amit Klein (Hebrew University of Jerusalem)"}, {"lang": "en", "type": "finder", "value": "Inon Kaplan (Independent researcher)"}, {"lang": "en", "type": "finder", "value": "Ron Even (Independent researcher)"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.<br>"}], "value": "A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances."}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "baseScore": 6.3, "baseSeverity": "MEDIUM", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-328", "description": "CWE-328", "lang": "en", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-339", "description": "CWE-339", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2025-02-06T12:30:36.901Z"}, "references": [{"url": "https://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56"}, {"url": "https://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af"}, {"url": "https://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2"}], "source": {"discovery": "UNKNOWN"}, "title": "Improved Seeding and Hashing In gVisor", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-01-30T20:38:11.885657Z", "id": "CVE-2024-10026", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T20:38:31.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-10026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-01-30T20:38:11.885657Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-30T20:38:27.409Z"}}], "cna": {"title": "Improved Seeding and Hashing In gVisor", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "Amit Klein (Hebrew University of Jerusalem)"}, {"lang": "en", "type": "finder", "value": "Inon Kaplan (Independent researcher)"}, {"lang": "en", "type": "finder", "value": "Ron Even (Independent researcher)"}], "impacts": [{"capecId": "CAPEC-21", "descriptions": [{"lang": "en", "value": "CAPEC-21 Exploitation of Trusted Identifiers"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/google/gvisor", "vendor": "Google", "product": "gVisor", "versions": [{"status": "unaffected", "version": "Release 20241028.0"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56"}, {"url": "https://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af"}, {"url": "https://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.", "supportingMedia": [{"type": "text/html", "value": "A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-328", "description": "CWE-328"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-339", "description": "CWE-339"}]}], "providerMetadata": {"orgId": "14ed7db2-1595-443d-9d34-6215bf890778", "shortName": "Google", "dateUpdated": "2025-02-06T12:30:36.901Z"}}}, "cveMetadata": {"cveId": "CVE-2024-10026", "state": "PUBLISHED", "dateUpdated": "2025-02-06T12:30:36.901Z", "dateReserved": "2024-10-16T08:04:54.647Z", "assignerOrgId": "14ed7db2-1595-443d-9d34-6215bf890778", "datePublished": "2025-01-30T19:12:27.994Z", "assignerShortName": "Google"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances."}], "id": "CVE-2024-10026", "lastModified": "2025-01-30T20:15:32.600", "metrics": {"cvssMetricV40": [{"cvssData": {"attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "NETWORK", "automatable": "NOT_DEFINED", "availabilityRequirements": "NOT_DEFINED", "baseScore": 6.3, "baseSeverity": "MEDIUM", "confidentialityRequirements": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirements": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubsequentSystemAvailability": "NOT_DEFINED", "modifiedSubsequentSystemConfidentiality": "NOT_DEFINED", "modifiedSubsequentSystemIntegrity": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnerableSystemAvailability": "NOT_DEFINED", "modifiedVulnerableSystemConfidentiality": "NOT_DEFINED", "modifiedVulnerableSystemIntegrity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "recovery": "NOT_DEFINED", "safety": "NOT_DEFINED", "subsequentSystemAvailability": "NONE", "subsequentSystemConfidentiality": "LOW", "subsequentSystemIntegrity": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnerabilityResponseEffort": "NOT_DEFINED", "vulnerableSystemAvailability": "NONE", "vulnerableSystemConfidentiality": "LOW", "vulnerableSystemIntegrity": "LOW"}, "source": "cve-coordination@google.com", "type": "Secondary"}]}, "published": "2025-01-30T20:15:32.600", "references": [{"source": "cve-coordination@google.com", "url": "https://github.com/google/gvisor/commit/83f75082e5b03fafca9201d9d9939028f712b0b2"}, {"source": "cve-coordination@google.com", "url": "https://github.com/google/gvisor/commit/e54bfde79278cafadedbf73c68ee10cb5982f2af"}, {"source": "cve-coordination@google.com", "url": "https://github.com/google/gvisor/commit/f956b5ac17ae1f60a4d21999b59ba18c55f86d56"}], "sourceIdentifier": "cve-coordination@google.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-328"}, {"lang": "en", "value": "CWE-339"}], "source": "cve-coordination@google.com", "type": "Secondary"}]}