CVE-2024-6388: 
Linux Ubuntu vulnerability analysis and mitigation

Marco Trevisan discovered a security vulnerability in the Ubuntu Advantage Desktop Daemon (CVE-2024-6388), affecting versions before 1.12. The vulnerability was disclosed on June 27, 2024, and affects Ubuntu systems using the Ubuntu Advantage Desktop Daemon service. The issue allows the Pro token to be leaked to unprivileged users by passing it as an argument in plaintext (Ubuntu Security, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 5.9 (Medium) with the vector string CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:N/A:N. The issue is classified as CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). The vulnerability exists in the way the daemon handles the Pro token during authentication processes, exposing it through command-line arguments which are visible to other users on the system (Ubuntu Security).

An attacker could exploit this vulnerability to gain unauthorized access to an Ubuntu Pro subscription by viewing the exposed Pro token through system process listings. The token exposure allows unprivileged users to potentially access sensitive subscription information (Ubuntu Notice).

The vulnerability has been fixed in multiple Ubuntu versions with the following updates: Ubuntu 24.04 LTS (1.11ubuntu0.1), Ubuntu 22.04 LTS (1.10.ubuntu0.22.04.2), Ubuntu 20.04 LTS (1.10.ubuntu0.20.04.1), Ubuntu 18.04 LTS (1.10.ubuntu0.18.04.1~esm1), and Ubuntu 16.04 ESM (1.10.ubuntu0.16.04.1~esm1). Users are advised to update their systems to these versions (Ubuntu Notice).