wiki/docs/issues/CVE-2024-1086.md

# CVE-2024-1086: kernel

## Title

CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function

## Summary

As [briefly described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-1086):

A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the `nft_verdict_init()` function, allowing positive values as a drop error within the hook verdict, therefore, the `nf_hook_slow()` function can cause a double-free vulnerability when `NF_DROP` is issued with a drop error that resembles `NF_ACCEPT`. The `nf_tables` component can be exploited to achieve local privilege escalation.

Exploitation of the flaw is [described in great detail in a blog post by Notselwyn](https://pwning.tech/nftables/).

Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known

## EL9

- Fixed in version: `kernel-5.14.0-427.16.1.el9_4` available May 8, 2024

## EL8

- Fixed in version: `kernel-4.18.0-513.24.1.el8_9` available April 5, 2024
- Errata: [RLSA-2024:1607](https://errata.rockylinux.org/RLSA-2024:1607) issued April 5, 2024

## Mitigation

We also recommend two mitigations:

- If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:

```
echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf
sysctl -p /etc/sysctl.d/userns.conf
```

This is a mitigation also suggested by Red Hat.
It is sufficient to fully mitigate this and other/future related vulnerabilities.

- If you cannot disable user namespaces, you may nevertheless be able to [disable network namespaces](https://www.openwall.com/lists/oss-security/2024/04/14/1), which is also sufficient to fully mitigate this and some other/future related vulnerabilities.

- Install our [package of LKRG](../packages/lkrg.md), start and enable the service.

This does not fully mitigate the vulnerability,
but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
LKRG's feature that does so is its allow list for the kernel's usermodehelper.
This will similarly prevent other/future exploits that abuse usermodehelper.
The remaining risks are Denial of Service (DoS) as even interrupted exploits may leave the system in an unstable state,
and a different exploit of the same vulnerability bypassing LKRG.
Add issues/CVE-2024-1086.md 2024-03-28 18:54:13 +00:00			`# CVE-2024-1086: kernel`

			`## Title`

			`CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function`

			`## Summary`

			`As [briefly described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-1086):`

			A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the `nft_verdict_init()` function, allowing positive values as a drop error within the hook verdict, therefore, the `nf_hook_slow()` function can cause a double-free vulnerability when `NF_DROP` is issued with a drop error that resembles `NF_ACCEPT`. The `nf_tables` component can be exploited to achieve local privilege escalation.

			`Exploitation of the flaw is [described in great detail in a blog post by Notselwyn](https://pwning.tech/nftables/).`

			`Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known`

Update issues/CVE-2024-1086.md 2024-04-18 15:28:24 +00:00			`## EL9`
Add issues/CVE-2024-1086.md 2024-03-28 18:54:13 +00:00
issues/CVE-2024-1086.md: Add EL9 fix info 2024-05-20 20:16:07 +00:00			- Fixed in version: `kernel-5.14.0-427.16.1.el9_4` available May 8, 2024
Update issues/CVE-2024-1086.md 2024-04-18 15:28:24 +00:00
			`## EL8`

			- Fixed in version: `kernel-4.18.0-513.24.1.el8_9` available April 5, 2024
			`- Errata: [RLSA-2024:1607](https://errata.rockylinux.org/RLSA-2024:1607) issued April 5, 2024`
Add issues/CVE-2024-1086.md 2024-03-28 18:54:13 +00:00
			`## Mitigation`

issues/CVE-2024-1086.md: Add EL9 fix info 2024-05-20 20:16:07 +00:00			`We also recommend two mitigations:`
Add issues/CVE-2024-1086.md 2024-03-28 18:54:13 +00:00
issues/CVE-2024-1086.md: Hopefully fix mitigations list formatting 2024-03-28 19:33:56 +00:00			`- If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:`
Add issues/CVE-2024-1086.md 2024-03-28 18:54:13 +00:00
			```
			`echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf`
			`sysctl -p /etc/sysctl.d/userns.conf`
			```

			`This is a mitigation also suggested by Red Hat.`
Update issues/CVE-2024-1086.md 2024-04-18 15:28:24 +00:00			`It is sufficient to fully mitigate this and other/future related vulnerabilities.`

			`- If you cannot disable user namespaces, you may nevertheless be able to [disable network namespaces](https://www.openwall.com/lists/oss-security/2024/04/14/1), which is also sufficient to fully mitigate this and some other/future related vulnerabilities.`
Add issues/CVE-2024-1086.md 2024-03-28 18:54:13 +00:00
issues/CVE-2024-1086.md: Hopefully fix mitigations list formatting 2024-03-28 19:33:56 +00:00			`- Install our [package of LKRG](../packages/lkrg.md), start and enable the service.`
Add issues/CVE-2024-1086.md 2024-03-28 18:54:13 +00:00
			`This does not fully mitigate the vulnerability,`
			`but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.`
			`LKRG's feature that does so is its allow list for the kernel's usermodehelper.`
			`This will similarly prevent other/future exploits that abuse usermodehelper.`
Update issues/CVE-2024-1086.md 2024-04-18 15:28:24 +00:00			`The remaining risks are Denial of Service (DoS) as even interrupted exploits may leave the system in an unstable state,`
			`and a different exploit of the same vulnerability bypassing LKRG.`