CVE-2024-6107 Overview
CVE-2024-6107 is an authentication bypass vulnerability in Canonical Metal as a Service (MAAS). Due to insufficient verification, an attacker could use a malicious client to bypass authentication checks and run RPC commands in a region. This vulnerability has been addressed in MAAS and updated in the corresponding snaps.
Critical Impact
This authentication bypass vulnerability allows unauthenticated remote attackers to execute arbitrary RPC commands on MAAS region controllers, potentially leading to full infrastructure compromise.
Affected Products
- Canonical Metal as a Service (MAAS)
- MAAS version 3.5.0 and earlier vulnerable versions
- MAAS snap packages
Discovery Timeline
- 2025-07-21 - CVE-2024-6107 published to NVD
- 2025-08-27 - Last updated in NVD database
Technical Details for CVE-2024-6107
Vulnerability Analysis
This vulnerability is classified as CWE-287: Improper Authentication, which occurs when a system fails to properly verify the identity of an actor making a request. In the context of MAAS, the authentication mechanism for RPC communication between clients and region controllers contains insufficient verification logic, allowing malicious clients to bypass security controls entirely.
MAAS (Metal as a Service) is Canonical's bare-metal provisioning and management tool used extensively in data center environments for managing physical server infrastructure. The RPC interface is a critical component that handles communication between MAAS clients and the region controller, which orchestrates machine deployment, commissioning, and configuration.
The vulnerability allows attackers to craft requests that circumvent the authentication layer, effectively granting them unauthorized access to execute RPC commands. Given the network-accessible nature of this attack with no prerequisites for authentication or user interaction, this represents a severe risk to organizations relying on MAAS for infrastructure management.
Root Cause
The root cause is insufficient verification in the authentication mechanism for RPC communications. The MAAS region controller fails to adequately validate client credentials or authentication tokens before processing RPC requests, allowing attackers to forge or bypass authentication entirely.
Attack Vector
The attack is network-based, requiring the attacker to have network access to the MAAS region controller. An attacker can craft a malicious client that connects to the RPC interface and submits commands without proper authentication. No user interaction or prior privileges are required to exploit this vulnerability.
The attacker connects to the MAAS RPC endpoint and sends crafted requests that exploit the insufficient verification logic. Because the authentication checks can be bypassed, the attacker gains the ability to execute arbitrary RPC commands, potentially allowing them to:
- Deploy or decommission physical machines
- Modify machine configurations
- Access sensitive infrastructure data
- Pivot to other systems in the managed environment
Detection Methods for CVE-2024-6107
Indicators of Compromise
- Unexpected RPC connections to MAAS region controllers from unknown IP addresses
- Unusual machine provisioning or decommissioning activity without corresponding user actions
- Authentication logs showing bypassed or missing credential validation events
- Anomalous traffic patterns to MAAS RPC ports from external networks
Detection Strategies
- Monitor network traffic to MAAS region controllers for connections from untrusted sources
- Implement logging and alerting for all RPC command executions, flagging those without valid authentication
- Deploy intrusion detection rules to identify malformed or suspicious RPC requests
- Audit MAAS logs for unexpected infrastructure changes or unauthorized command execution
Monitoring Recommendations
- Enable detailed audit logging on MAAS region controllers
- Set up alerts for failed authentication attempts followed by successful command execution
- Monitor for changes to machine states or configurations that don't correlate with administrator activity
- Review network firewall logs for unusual connections to MAAS management interfaces
How to Mitigate CVE-2024-6107
Immediate Actions Required
- Update MAAS to the latest patched version immediately
- Restrict network access to MAAS region controllers using firewall rules, limiting access to trusted management networks only
- Review audit logs for signs of prior exploitation
- Consider temporarily disabling external network access to MAAS until patches are applied
Patch Information
Canonical has addressed this vulnerability in updated MAAS releases. Organizations should update their MAAS installations and corresponding snap packages to the latest available versions. Detailed information about the fix is available in the Launchpad Bug Report #2069094.
Workarounds
- Implement network segmentation to isolate MAAS controllers from untrusted networks
- Configure firewall rules to restrict RPC port access to only authorized management systems
- Enable additional authentication layers or VPN requirements for accessing MAAS infrastructure
- Monitor and alert on all RPC connections until patches can be applied
# Example: Restrict access to MAAS region controller using UFW
sudo ufw allow from 10.0.0.0/24 to any port 5240 proto tcp comment "MAAS API trusted network"
sudo ufw deny to any port 5240 proto tcp comment "Block untrusted MAAS access"
sudo ufw reload
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
