generated from sig_core/wiki-template
Merge pull request 'Update issues/CVE-2024-1086.md' (#29) from solardiz-patch-27 into main
All checks were successful
mkdocs build / build (push) Successful in 34s
All checks were successful
mkdocs build / build (push) Successful in 34s
Reviewed-on: #29 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
commit
7718c9d531
@ -14,9 +14,14 @@ Exploitation of the flaw is [described in great detail in a blog post by Notselw
|
|||||||
|
|
||||||
Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known
|
Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known
|
||||||
|
|
||||||
## Status
|
## EL9
|
||||||
|
|
||||||
Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives.
|
Affected. We will of course rebuild upstream's fix as soon as it arrives. Meanwhile, please refer to the mitigations below.
|
||||||
|
|
||||||
|
## EL8
|
||||||
|
|
||||||
|
- Fixed in version: `kernel-4.18.0-513.24.1.el8_9` available April 5, 2024
|
||||||
|
- Errata: [RLSA-2024:1607](https://errata.rockylinux.org/RLSA-2024:1607) issued April 5, 2024
|
||||||
|
|
||||||
## Mitigation
|
## Mitigation
|
||||||
|
|
||||||
@ -30,7 +35,9 @@ sysctl -p /etc/sysctl.d/userns.conf
|
|||||||
```
|
```
|
||||||
|
|
||||||
This is a mitigation also suggested by Red Hat.
|
This is a mitigation also suggested by Red Hat.
|
||||||
It is expected to fully mitigate this and other/future related vulnerabilities.
|
It is sufficient to fully mitigate this and other/future related vulnerabilities.
|
||||||
|
|
||||||
|
- If you cannot disable user namespaces, you may nevertheless be able to [disable network namespaces](https://www.openwall.com/lists/oss-security/2024/04/14/1), which is also sufficient to fully mitigate this and some other/future related vulnerabilities.
|
||||||
|
|
||||||
- Install our [package of LKRG](../packages/lkrg.md), start and enable the service.
|
- Install our [package of LKRG](../packages/lkrg.md), start and enable the service.
|
||||||
|
|
||||||
@ -38,3 +45,5 @@ This does not fully mitigate the vulnerability,
|
|||||||
but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
|
but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
|
||||||
LKRG's feature that does so is its allow list for the kernel's usermodehelper.
|
LKRG's feature that does so is its allow list for the kernel's usermodehelper.
|
||||||
This will similarly prevent other/future exploits that abuse usermodehelper.
|
This will similarly prevent other/future exploits that abuse usermodehelper.
|
||||||
|
The remaining risks are Denial of Service (DoS) as even interrupted exploits may leave the system in an unstable state,
|
||||||
|
and a different exploit of the same vulnerability bypassing LKRG.
|
||||||
|
Loading…
Reference in New Issue
Block a user