The U.S. Cybersecurity & Infrastructure Safety Company (CISA) has added two vulnerabilities in its Identified Exploited Vulnerabilities (KEV) catalog, together with a Linux kernel privilege elevation flaw.
The high-severity flaw tracked as CVE-2024-1086 was first disclosed on January 31, 2024, as a use-after-free downside within the netfilter: nf_tables element, however was first launched by a commit in February 2014.
Netfilter is a framework supplied by the Linux kernel that permits varied networking-related operations, equivalent to packet filtering, community handle translation (NAT), and packet mangling.
The vulnerability is brought on as a result of the ‘nft_verdict_init()’ operate permits constructive values for use as a drop error inside the hook verdict, inflicting the ‘nf_hook_slow()’ operate to execute a double free when NF_DROP is issued with a drop error that resembles NF_ACCEPT.
Exploitation of CVE-2024-1086 permits an attacker with native entry to attain privilege escalation on the goal system, doubtlessly gaining root-level entry.
The problem was mounted through a commit submitted in January 2024, which rejects QUEUE/DROP verdict parameters, thus stopping exploitation.
The repair has been backported to a number of steady kernel variations as listed under:
- v5.4.269 and later
- v5.10.210 and later
- v6.6.15 and later
- v4.19.307 and later
- v6.1.76 and later
- v5.15.149 and later
- v6.7.3 and later
In late March 2024, a security researcher utilizing the alias ‘Notselwyn’ revealed an in depth write-up and proof-of-concept (PoC) exploit on GitHub, showcasing how one can obtain native privilege escalation by exploiting the flaw on Linux kernel variations between 5.14 and 6.6.
Whereas most Linux distrobutions pushed out fixes pretty shortly, Crimson Hat had not pushed out a repair till March, making it doable that menace actors used the general public exploit on compromised techniques.
CISA didn’t share particular particulars about how the vulnerability is exploited, however BleepingComputer has seen posts on hacking boards concerning the public exploits.
The cybersecurity company has now given federal companies till June 20, 2024, to use the accessible patches.
If updating is just not doable, admins are really useful to use the next mitigations:
- Blocklist ‘nf_tables’ if it is not wanted/actively used.
- Prohibit entry to person namespaces to restrict the assault floor.
- Load the Linux Kernel Runtime Guard (LKRG) module (may cause instability)
The second flaw CISA added on the KEV catalog this time, additionally setting the due date to June 20, is CVE-2024-24919, an info disclosure vulnerability impacting VPN units from Verify Level.
Following the seller’s disclosure and security replace launch for this flaw, researchers from Watchtowr Labs revealed their evaluation, underlining that the vulnerability is way worse than what Verify Level’s bulletin mirrored.