CVE-2024-39916

Name of the Vulnerable Software and Affected Versions FOG versions prior to 1.5.10.30

Description The issue concerns the NFS configuration in /etc/exports generated by the FOG installer, which allows an attacker to modify files outside the export in the default installation. The no subtree check option in the exports means that the server only checks if the requested file is on the correct filesystem, not if it is in the correct directory. This enables modifying files in /images, accessing other files on the same filesystem, and accessing files on other filesystems.

Recommendations For versions prior to 1.5.10.30, update to version 1.5.10.30 to resolve the issue. As a temporary workaround, consider modifying the NFS configuration to remove the no subtree check option from the exports in /etc/exports to prevent unauthorized file access.