generated from sig_core/wiki-template
Update issues/CVE-2024-1086.md
This commit is contained in:
parent
ce94068981
commit
cb065e6fd6
@ -14,9 +14,14 @@ Exploitation of the flaw is [described in great detail in a blog post by Notselw
|
||||
|
||||
Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known
|
||||
|
||||
## Status
|
||||
## EL9
|
||||
|
||||
Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives.
|
||||
Affected. We will of course rebuild upstream's fix as soon as it arrives. Meanwhile, please refer to the mitigations below.
|
||||
|
||||
## EL8
|
||||
|
||||
- Fixed in version: `kernel-4.18.0-513.24.1.el8_9` available April 5, 2024
|
||||
- Errata: [RLSA-2024:1607](https://errata.rockylinux.org/RLSA-2024:1607) issued April 5, 2024
|
||||
|
||||
## Mitigation
|
||||
|
||||
@ -30,7 +35,9 @@ sysctl -p /etc/sysctl.d/userns.conf
|
||||
```
|
||||
|
||||
This is a mitigation also suggested by Red Hat.
|
||||
It is expected to fully mitigate this and other/future related vulnerabilities.
|
||||
It is sufficient to fully mitigate this and other/future related vulnerabilities.
|
||||
|
||||
- If you cannot disable user namespaces, you may nevertheless be able to [disable network namespaces](https://www.openwall.com/lists/oss-security/2024/04/14/1), which is also sufficient to fully mitigate this and some other/future related vulnerabilities.
|
||||
|
||||
- Install our [package of LKRG](../packages/lkrg.md), start and enable the service.
|
||||
|
||||
@ -38,3 +45,5 @@ This does not fully mitigate the vulnerability,
|
||||
but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
|
||||
LKRG's feature that does so is its allow list for the kernel's usermodehelper.
|
||||
This will similarly prevent other/future exploits that abuse usermodehelper.
|
||||
The remaining risks are Denial of Service (DoS) as even interrupted exploits may leave the system in an unstable state,
|
||||
and a different exploit of the same vulnerability bypassing LKRG.
|
||||
|
Loading…
Reference in New Issue
Block a user