Linux kernel netfilter use-after-free vulnerability can lead to local privilege escalation
CVE-2024-1086
Key Information:
Badges
What is CVE-2024-1086?
CVE-2024-1086 is a severe vulnerability found in the Linux kernel's netfilter component, which handles network packet filtering. This use-after-free vulnerability can be exploited to achieve local privilege escalation, potentially allowing an attacker to gain higher-level privileges on the affected system. As the Linux kernel underpins many operating systems and applications, the exploitation of this flaw could lead to unauthorized access to sensitive system functionalities, making it a critical concern for organizations that rely on Linux-based environments.
Technical Details
The vulnerability arises from inappropriate handling of positive drop error values within the nft_verdict_init() function in the netfilter's nf_tables subsystem. Specifically, the nf_hook_slow() function can unintentionally trigger a double free scenario when it encounters an NF_DROP command accompanied by a drop error that mimics NF_ACCEPT. This flaw can be leveraged by an attacker to manipulate memory allocation, leading to potential arbitrary code execution with escalated privileges.
Impact of the Vulnerability
-
Local Privilege Escalation: Attackers can exploit this vulnerability to elevate their local privileges, gaining unauthorized access to critical system resources and functions that they would not normally have permission to modify or execute.
-
Compromised System Integrity: Successful exploitation could allow attackers to alter system configurations, install malicious software, or alter existing data, undermining the integrity of the system and potentially leading to further compromises.
-
Increased Attack Surface: As the Linux kernel is central to many environments, a vulnerability of this nature increases the overall attack surface of affected systems, making them more attractive targets for further exploitation by attackers, including those involved in ransomware operations.
CISA has reported CVE-2024-1086
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed CVE-2024-1086 as being exploited and is known by the CISA as enabling ransomware campaigns.
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Kernel 3.15 < 6.8
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CVE-2024-1086 Vulnerability: Critical Privilege Escalation Flaw in Linux Kernel Exploited in the Ransomware Attacks | SOC Prime
Explore CVE-2024-1086, a critical Linux kernel vulnerability actively exploited in ransomware attacks, with detailed analysis on the SOC Prime blog.
3 weeks ago
CyberWireCVE-2024-1086CISA warns of actively exploited Linux kernel flaw.
Chinese threat actor exploits Windows LNK flaw to deploy malware. Former L3 Harris exec pleads guilty to selling exploits to Russia.
3 weeks ago
CISA: High-severity Linux flaw now exploited by ransomware gangs
CISA confirmed on Thursday that a high-severity privilege escalation flaw in the Linux kernel is now being exploited in ransomware attacks.
3 weeks ago
References
EPSS Score
87% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- 💰
Used in Ransomware
- 🦅
CISA Reported
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
- 📰
First article discovered by daily.dev
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved