Linux kernel netfilter use-after-free vulnerability can lead to local privilege escalation
CVE-2024-1086
Key Information:
- Vendor
- Linux
- Status
- Kernel
- Vendor
- CVE Published:
- 31 January 2024
Badges
What is CVE-2024-1086?
CVE-2024-1086 is a severe vulnerability found in the Linux kernel's netfilter component, which handles network packet filtering. This use-after-free vulnerability can be exploited to achieve local privilege escalation, potentially allowing an attacker to gain higher-level privileges on the affected system. As the Linux kernel underpins many operating systems and applications, the exploitation of this flaw could lead to unauthorized access to sensitive system functionalities, making it a critical concern for organizations that rely on Linux-based environments.
Technical Details
The vulnerability arises from inappropriate handling of positive drop error values within the nft_verdict_init() function in the netfilter's nf_tables subsystem. Specifically, the nf_hook_slow() function can unintentionally trigger a double free scenario when it encounters an NF_DROP command accompanied by a drop error that mimics NF_ACCEPT. This flaw can be leveraged by an attacker to manipulate memory allocation, leading to potential arbitrary code execution with escalated privileges.
Impact of the Vulnerability
-
Local Privilege Escalation: Attackers can exploit this vulnerability to elevate their local privileges, gaining unauthorized access to critical system resources and functions that they would not normally have permission to modify or execute.
-
Compromised System Integrity: Successful exploitation could allow attackers to alter system configurations, install malicious software, or alter existing data, undermining the integrity of the system and potentially leading to further compromises.
-
Increased Attack Surface: As the Linux kernel is central to many environments, a vulnerability of this nature increases the overall attack surface of affected systems, making them more attractive targets for further exploitation by attackers, including those involved in ransomware operations.
CISA Reported
CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace
The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.
Affected Version(s)
Kernel 3.15 < 6.8
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
CrowdStrikeCVE-2024-1086Active Exploitation Observed for Linux Kernel Privilege Escalation Vulnerability (CVE-2024-1086)
Last week, CISA added CVE-2024-1086 to its Known Exploited Vulnerability Catalog. In this blog, we share the details of this vulnerability and how Crowdstrike’s customers are protected from exploitation.
7 months ago
CISA adds Linux kernel flaw to KEV list
The Cybersecurity and Infrastructure Security Agency has updated its Known Exploited Vulnerabilities catalog to include a use-after-free security issue impacting Linux kernel versions from 5.14 to 6.6, tracked as CVE-2024-1086, which could be leveraged to enable arbitrary code execution and privileg...
7 months ago
CISA warns of actively exploited Linux privilege elevation flaw
The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added two vulnerabilities in its Known Exploited Vulnerabilities (KEV) catalog, including a Linux kernel privilege elevation flaw.
7 months ago
References
CVSS V3.1
Timeline
- 🦅
CISA Reported
- 🥇
Vulnerability reached the number 1 worldwide trending spot
- 📈
Vulnerability started trending
- 📰
First article discovered by daily.dev
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved