cbcvebase.
CVE-2024-5651
published 2024-08-12

CVE-2024-5651: A flaw was found in the Fence Agents Remediation operator. This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.37%
68.5th percentile
A flaw was found in the Fence Agents Remediation operator. This vulnerability can allow a Remote Code Execution (RCE) primitive by supplying an arbitrary command to execute in the --ssh-path/--telnet-path arguments. A low-privilege user, for example, a user with developer access, can create a specially crafted FenceAgentsRemediation for a fence agent supporting --ssh-path/--telnet-path arguments to execute arbitrary commands on the operator's pod. This RCE leads to a privilege escalation, first as the service account running the operator, then to another service account with cluster-admin privileges.

Affected

1 ranges
VendorProductVersion rangeFixed in
debianfence-agents

Detection & IOCsextracted from sources · hover to see the quote

  • Detect creation of FenceAgentsRemediation resources containing --ssh-path or --telnet-path arguments with unexpected/arbitrary command values, which is the injection vector for RCE on the operator pod.
  • Monitor the Fence Agents Remediation operator pod for unexpected process execution or shell spawning, as successful exploitation results in arbitrary command execution within the operator's pod.
  • Alert on low-privilege or developer-role users (non-admin) creating or modifying FenceAgentsRemediation or FenceAgentsRemediationTemplate Kubernetes resources, as exploitation requires only developer-level access.
  • ·The vulnerability is specific to the Fence Agents Remediation operator and does NOT affect the fence-agents package itself; scope detection efforts accordingly.
  • ·Only fence agents that support the --ssh-path or --telnet-path arguments are exploitable; not all fence agents are affected.
  • ·Mitigation is to restrict RBAC so unprivileged users cannot create FenceAgentsRemediation and FenceAgentsRemediationTemplate resources.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8LOW
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.