forked from security/wiki
Merge pull request 'Add issues/CVE-2024-1086.md' (#27) from solardiz-patch-25 into main
Reviewed-on: security/wiki#27 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
commit
f91c83801a
40
docs/issues/CVE-2024-1086.md
Normal file
40
docs/issues/CVE-2024-1086.md
Normal file
@ -0,0 +1,40 @@
|
||||
# CVE-2024-1086: kernel
|
||||
|
||||
## Title
|
||||
|
||||
CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
|
||||
|
||||
## Summary
|
||||
|
||||
As [briefly described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-1086):
|
||||
|
||||
A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the `nft_verdict_init()` function, allowing positive values as a drop error within the hook verdict, therefore, the `nf_hook_slow()` function can cause a double-free vulnerability when `NF_DROP` is issued with a drop error that resembles `NF_ACCEPT`. The `nf_tables` component can be exploited to achieve local privilege escalation.
|
||||
|
||||
Exploitation of the flaw is [described in great detail in a blog post by Notselwyn](https://pwning.tech/nftables/).
|
||||
|
||||
Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known
|
||||
|
||||
## Status
|
||||
|
||||
Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives.
|
||||
|
||||
## Mitigation
|
||||
|
||||
Meanwhile, we recommend two mitigations:
|
||||
|
||||
1. If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:
|
||||
|
||||
```
|
||||
echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf
|
||||
sysctl -p /etc/sysctl.d/userns.conf
|
||||
```
|
||||
|
||||
This is a mitigation also suggested by Red Hat.
|
||||
It is expected to fully mitigate this and other/future related vulnerabilities.
|
||||
|
||||
2. Install our [package of LKRG](../packages/lkrg.md), start and enable the service.
|
||||
|
||||
This does not fully mitigate the vulnerability,
|
||||
but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
|
||||
LKRG's feature that does so is its allow list for the kernel's usermodehelper.
|
||||
This will similarly prevent other/future exploits that abuse usermodehelper.
|
@ -2,6 +2,11 @@
|
||||
|
||||
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
||||
|
||||
## March 28, 2024
|
||||
|
||||
We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md),
|
||||
currently listing two mitigations for this Linux kernel vulnerability.
|
||||
|
||||
## March 11 to 16, 2024
|
||||
|
||||
[openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).
|
||||
|
Loading…
Reference in New Issue
Block a user