security/wiki
8
0
Fork 1
generated from sig_core/wiki-template
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'Add issues/CVE-2024-1086.md' (#27) from solardiz-patch-25 into main
All checks were successful
mkdocs build / build (push) Successful in 28s
Details

Browse Source 
Reviewed-on: #27
Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
This commit is contained in:
Neil Hanlon 2024-03-28 19:06:19 +00:00
commit f91c83801a
2 changed files with 45 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

40
docs/issues/CVE-2024-1086.md Normal file
View File

@ -0,0 +1,40 @@
# CVE-2024-1086: kernel
## Title
CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
## Summary
As [briefly described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-1086):
A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the `nft_verdict_init()` function, allowing positive values as a drop error within the hook verdict, therefore, the `nf_hook_slow()` function can cause a double-free vulnerability when `NF_DROP` is issued with a drop error that resembles `NF_ACCEPT`. The `nf_tables` component can be exploited to achieve local privilege escalation.
Exploitation of the flaw is [described in great detail in a blog post by Notselwyn](https://pwning.tech/nftables/).
Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known
## Status
Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives.
## Mitigation
Meanwhile, we recommend two mitigations:
1. If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:
```
echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf
sysctl -p /etc/sysctl.d/userns.conf
```
This is a mitigation also suggested by Red Hat.
It is expected to fully mitigate this and other/future related vulnerabilities.
2. Install our [package of LKRG](../packages/lkrg.md), start and enable the service.
This does not fully mitigate the vulnerability,
but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
LKRG's feature that does so is its allow list for the kernel's usermodehelper.
This will similarly prevent other/future exploits that abuse usermodehelper.

5
docs/news.md
View File

@ -2,6 +2,11 @@
These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.
## March 28, 2024
We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md),
currently listing two mitigations for this Linux kernel vulnerability.
## March 11 to 16, 2024
[openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).