CVE-2024-23301: 
Rocky Linux vulnerability analysis and mitigation

Relax-and-Recover (ReaR) through version 2.7 contains a security vulnerability where it creates a world-readable initrd when using GRUB_RESCUE=y configuration option. The vulnerability was discovered in January 2024 and assigned identifier CVE-2024-23301. The issue affects ReaR installations on multiple Linux distributions including Debian, Fedora, and Red Hat Enterprise Linux (NVD, Debian LTS).

The vulnerability occurs when ReaR is configured with GRUB_RESCUE=y option, which causes the generated initrd (initial ramdisk) file to be created with world-readable permissions in the /boot directory. The issue has been assigned a CVSS v3.1 base score of 5.5 (Medium) with vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N, indicating local access is required but no user interaction is needed for exploitation (NVD).

This vulnerability allows local attackers to gain access to system secrets that should only be readable by the root user. Since the initrd contains a copy of the recovery system, any sensitive information included in the backup could be exposed to unprivileged local users (GitHub Issue).

The issue has been fixed in various distribution releases. Debian has released version 2.4+dfsg-1+deb10u1 for Debian 10 (Buster). Fedora has released version 2.7-8 for both Fedora 38 and 39. The fix involves making the initrd file accessible only by root through proper permission settings (Debian LTS, Fedora Update).

The vulnerability was initially reported by a SUSE customer and addressed through a collaborative effort between the ReaR development team and distribution maintainers. The fix was implemented through GitHub pull request #3123, which received positive feedback from the development community (GitHub PR).