Linux Kernel Vulnerability Sees Renewed Exploited Attempts
Access Point Consulting
Hands-on cybersecurity for small to mid-sized companies.
CVE-2024-1086
Report by Matthew Fagan and ?Moustafa Galal, Access Point Consulting
Summary
CVE-2024-1086 (CVSSv3.1: 7.8) affects Linux Kernel versions between v5.14 and v6.6. This vulnerability was published on January 31 of this year and was added to the CISA Known Exploited Vulnerabilities Catalog on May 30 but is now having renewed reports of active exploitation. Most Linux distributions have released fixes for this vulnerability, which can be patched by updating your Linux Kernel distribution to the latest version. The vulnerability leverages a use-after-free flaw in the Linux kernel netfilter to achieve a local privilege escalation. Proof of Concept exploit code was developed that relies on the kernel’s access to the unprivileged user namespaces feature of nf_tables; this feature is enabled by default on Debian and Ubuntu distributions.
Business Impact Assessment?
If this vulnerability is exploited, it will allow local privilege escalation. The problem stems from a flaw in the nf_table component in the Linux kernel packet-filtering framework netfilter. Malicious actors could exploit the nft verdict init () function to force a packet to be dropped from the packet-filtering framework, yet read as an accepted packet. This then leads privilege escalation up to root privileges.
It is a problem for unauthorized users to obtain root privileges because then those users with root privileges have gained unfettered power to affect the system. An attacker could install malware or change configurations that open previously closed ports, create backdoors into the system, or disable security features that protect the organization from serious risks. An unauthorized attacker could access confidential information on the affected Linux system. This compromises the integrity and confidentiality of the data in the system and could damage the reputation of an organization, especially if any exfiltrated information was used nefariously. This exploit could also cause a denial of service on the system and prevent its use until the issue is resolved, causing business inefficiencies. Incident response personnel would likely need to get involved to locate and isolate the affected device.
Affected Linux Kernel Versions
Remediation?
Updating the relevant vulnerable Linux Kernel to v5.15.149 or later, v6.1.76 or later, or v6.6.15 of later or later will remediate this vulnerability.
领英推荐
The Linux Kernel can be updated through command line or a GUI-capable tool such as Synaptic.
You can use the command “uname -r” to check your Kernel version to find out if you are on a vulnerable version.
The method for updating the Linux Kernel depends on which distribution you are using. Here is a guide on how to do so for Debian.
Research is required for other distributions, but they will all have roughly the same commands to perform a kernel update operation.
Recommendations??
Patch: Patching your Linux Kernel to the latest version will remediate this vulnerability. Unfortunately, there are no mitigations that can be done to alleviate the risk of this vulnerability, an update to the kernel is required.
Incident Response Configuration and Training: Having an environment set up with the ability to isolate devices remotely and threat detection in place will go a long way toward preventing an exploited vulnerability from becoming a crisis. Ensuring that your organization has analysts trained to look at incidents, isolate devices, and perform triage will be most helpful in mitigating damage caused by a threat actor.