From 615f3861cde70b785c2774bef2f04c94beaac953 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Thu, 28 Mar 2024 19:54:13 +0100 Subject: [PATCH] Add issues/CVE-2024-1086.md --- docs/issues/CVE-2024-1086.md | 40 ++++++++++++++++++++++++++++++++++++ docs/news.md | 5 +++++ 2 files changed, 45 insertions(+) create mode 100644 docs/issues/CVE-2024-1086.md diff --git a/docs/issues/CVE-2024-1086.md b/docs/issues/CVE-2024-1086.md new file mode 100644 index 0000000..c237a2b --- /dev/null +++ b/docs/issues/CVE-2024-1086.md @@ -0,0 +1,40 @@ +# CVE-2024-1086: kernel + +## Title + +CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function + +## Summary + +As [briefly described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-1086): + +A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the `nft_verdict_init()` function, allowing positive values as a drop error within the hook verdict, therefore, the `nf_hook_slow()` function can cause a double-free vulnerability when `NF_DROP` is issued with a drop error that resembles `NF_ACCEPT`. The `nf_tables` component can be exploited to achieve local privilege escalation. + +Exploitation of the flaw is [described in great detail in a blog post by Notselwyn](https://pwning.tech/nftables/). + +Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known + +## Status + +Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives. + +## Mitigation + +Meanwhile, we recommend two mitigations: + +1. If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root: + +``` +echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf +sysctl -p /etc/sysctl.d/userns.conf +``` + +This is a mitigation also suggested by Red Hat. +It is expected to fully mitigate this and other/future related vulnerabilities. + +2. Install our [package of LKRG](../packages/lkrg.md), start and enable the service. + +This does not fully mitigate the vulnerability, +but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run. +LKRG's feature that does so is its allow list for the kernel's usermodehelper. +This will similarly prevent other/future exploits that abuse usermodehelper. diff --git a/docs/news.md b/docs/news.md index 7a2a6e0..80e1bc3 100644 --- a/docs/news.md +++ b/docs/news.md @@ -2,6 +2,11 @@ These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits. +## March 28, 2024 + +We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md), +currently listing two mitigations for this Linux kernel vulnerability. + ## March 11 to 16, 2024 [openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).