forked from security/wiki
Merge pull request 'Add issues/CVE-2024-1086.md' (#27) from solardiz-patch-25 into main
Reviewed-on: security/wiki#27 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
commit
f91c83801a
40
docs/issues/CVE-2024-1086.md
Normal file
40
docs/issues/CVE-2024-1086.md
Normal file
@ -0,0 +1,40 @@
|
|||||||
|
# CVE-2024-1086: kernel
|
||||||
|
|
||||||
|
## Title
|
||||||
|
|
||||||
|
CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
|
||||||
|
|
||||||
|
## Summary
|
||||||
|
|
||||||
|
As [briefly described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-1086):
|
||||||
|
|
||||||
|
A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the `nft_verdict_init()` function, allowing positive values as a drop error within the hook verdict, therefore, the `nf_hook_slow()` function can cause a double-free vulnerability when `NF_DROP` is issued with a drop error that resembles `NF_ACCEPT`. The `nf_tables` component can be exploited to achieve local privilege escalation.
|
||||||
|
|
||||||
|
Exploitation of the flaw is [described in great detail in a blog post by Notselwyn](https://pwning.tech/nftables/).
|
||||||
|
|
||||||
|
Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known
|
||||||
|
|
||||||
|
## Status
|
||||||
|
|
||||||
|
Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives.
|
||||||
|
|
||||||
|
## Mitigation
|
||||||
|
|
||||||
|
Meanwhile, we recommend two mitigations:
|
||||||
|
|
||||||
|
1. If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:
|
||||||
|
|
||||||
|
```
|
||||||
|
echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf
|
||||||
|
sysctl -p /etc/sysctl.d/userns.conf
|
||||||
|
```
|
||||||
|
|
||||||
|
This is a mitigation also suggested by Red Hat.
|
||||||
|
It is expected to fully mitigate this and other/future related vulnerabilities.
|
||||||
|
|
||||||
|
2. Install our [package of LKRG](../packages/lkrg.md), start and enable the service.
|
||||||
|
|
||||||
|
This does not fully mitigate the vulnerability,
|
||||||
|
but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
|
||||||
|
LKRG's feature that does so is its allow list for the kernel's usermodehelper.
|
||||||
|
This will similarly prevent other/future exploits that abuse usermodehelper.
|
@ -2,6 +2,11 @@
|
|||||||
|
|
||||||
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
|
||||||
|
|
||||||
|
## March 28, 2024
|
||||||
|
|
||||||
|
We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md),
|
||||||
|
currently listing two mitigations for this Linux kernel vulnerability.
|
||||||
|
|
||||||
## March 11 to 16, 2024
|
## March 11 to 16, 2024
|
||||||
|
|
||||||
[openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).
|
[openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).
|
||||||
|
Loading…
Reference in New Issue
Block a user