CVE-2024-28085 Debian CVE debrief

Who should care

Linux administrators and distribution maintainers who deploy util-linux wall with setgid tty permissions, especially on multi-user systems where local users can message other terminals. Security teams should also review images and hosts that still carry vulnerable util-linux releases.

Technical summary

NVD lists the issue as CVSS 3.1 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N with CWE-150 (Improper Neutralization of Escape, Meta, or Control Sequences). The vulnerability description states that wall blocks escape sequences read from stdin, but not escape sequences supplied through argv. That can permit terminal control effects against other users’ terminals when wall is available with elevated tty group permissions. The NVD CPE criteria identify util-linux versions from 2.24 up to, but not including, 2.39.4 as vulnerable.

Defensive priority

Moderate for multi-user Linux systems; lower for single-user or environments where wall is not installed or not exposed with tty group privileges. Prioritize hosts that still ship affected util-linux releases.

Recommended defensive actions

• Upgrade util-linux to a fixed release at or beyond the vendor-provided remediation for CVE-2024-28085; the NVD criteria mark versions before 2.39.4 as vulnerable.
• Inventory systems for wall installations with setgid tty permissions and confirm whether the binary is present on shared multi-user systems.
• Restrict local execution opportunities where feasible, because the CVSS vector indicates the attacker needs local access and low privileges.
• Review distribution advisories and patch notes for your platform, especially if you rely on Debian or downstream packages that may have separate backports.
• If immediate upgrading is not possible, reduce exposure by limiting which users can invoke wall and by monitoring for unexpected terminal-control behavior in multi-user sessions.

Evidence notes

This debrief is based on the supplied CVE description, NVD metadata, and referenced Openwall disclosure/patched-thread links. The source states that escape sequences from stdin are blocked while argv-supplied escape sequences are not. NVD classifies the issue as low severity with local attacker requirements and marks CWE-150. The vulnerable product criteria include util-linux from 2.24 through versions before 2.39.4. The record also includes a Debian Linux 10 CPE entry and a Debian LTS advisory reference, but the core affected component described in the CVE is util-linux wall.

Official resources