forked from security/wiki
50 lines
2.3 KiB
Markdown
50 lines
2.3 KiB
Markdown
# CVE-2024-1086: kernel
|
|
|
|
## Title
|
|
|
|
CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
|
|
|
|
## Summary
|
|
|
|
As [briefly described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-1086):
|
|
|
|
A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the `nft_verdict_init()` function, allowing positive values as a drop error within the hook verdict, therefore, the `nf_hook_slow()` function can cause a double-free vulnerability when `NF_DROP` is issued with a drop error that resembles `NF_ACCEPT`. The `nf_tables` component can be exploited to achieve local privilege escalation.
|
|
|
|
Exploitation of the flaw is [described in great detail in a blog post by Notselwyn](https://pwning.tech/nftables/).
|
|
|
|
Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known
|
|
|
|
## EL9
|
|
|
|
- Fixed in version: `kernel-5.14.0-427.16.1.el9_4` available May 8, 2024
|
|
|
|
## EL8
|
|
|
|
- Fixed in version: `kernel-4.18.0-513.24.1.el8_9` available April 5, 2024
|
|
- Errata: [RLSA-2024:1607](https://errata.rockylinux.org/RLSA-2024:1607) issued April 5, 2024
|
|
|
|
## Mitigation
|
|
|
|
We also recommend two mitigations:
|
|
|
|
- If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:
|
|
|
|
```
|
|
echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf
|
|
sysctl -p /etc/sysctl.d/userns.conf
|
|
```
|
|
|
|
This is a mitigation also suggested by Red Hat.
|
|
It is sufficient to fully mitigate this and other/future related vulnerabilities.
|
|
|
|
- If you cannot disable user namespaces, you may nevertheless be able to [disable network namespaces](https://www.openwall.com/lists/oss-security/2024/04/14/1), which is also sufficient to fully mitigate this and some other/future related vulnerabilities.
|
|
|
|
- Install our [package of LKRG](../packages/lkrg.md), start and enable the service.
|
|
|
|
This does not fully mitigate the vulnerability,
|
|
but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
|
|
LKRG's feature that does so is its allow list for the kernel's usermodehelper.
|
|
This will similarly prevent other/future exploits that abuse usermodehelper.
|
|
The remaining risks are Denial of Service (DoS) as even interrupted exploits may leave the system in an unstable state,
|
|
and a different exploit of the same vulnerability bypassing LKRG.
|