Merge pull request 'Add issues/CVE-2024-1086.md' (#27 ) from solardiz-patch-25 into main

Reviewed-on: #27 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>
Add issues/CVE-2024-1086.md
2024-03-28 19:06:19 +00:00 · 2024-03-28 19:54:24 +01:00
2 changed files with 45 additions and 0 deletions
--- a/docs/issues/CVE-2024-1086.md
+++ b/docs/issues/CVE-2024-1086.md
@ -0,0 +1,40 @@
+# CVE-2024-1086: kernel
+
+## Title
+
+CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
+
+## Summary
+
+As [briefly described by Red Hat](https://access.redhat.com/security/cve/CVE-2024-1086):
+
+A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the `nft_verdict_init()` function, allowing positive values as a drop error within the hook verdict, therefore, the `nf_hook_slow()` function can cause a double-free vulnerability when `NF_DROP` is issued with a drop error that resembles `NF_ACCEPT`. The `nf_tables` component can be exploited to achieve local privilege escalation.
+
+Exploitation of the flaw is [described in great detail in a blog post by Notselwyn](https://pwning.tech/nftables/).
+
+Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known
+
+## Status
+
+Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives.
+
+## Mitigation
+
+Meanwhile, we recommend two mitigations:
+
+1. If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:
+
+```
+echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf
+sysctl -p /etc/sysctl.d/userns.conf
+```
+
+This is a mitigation also suggested by Red Hat.
+It is expected to fully mitigate this and other/future related vulnerabilities.
+
+2. Install our [package of LKRG](../packages/lkrg.md), start and enable the service.
+
+This does not fully mitigate the vulnerability,
+but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run.
+LKRG's feature that does so is its allow list for the kernel's usermodehelper.
+This will similarly prevent other/future exploits that abuse usermodehelper.
--- a/docs/news.md
+++ b/docs/news.md
@ -2,6 +2,11 @@

 These are what we consider significant SIG/Security news items, not an exhaustive list of package updates and wiki edits.

+## March 28, 2024
+
+We've just set up a status page on [CVE-2024-1086](issues/CVE-2024-1086.md),
+currently listing two mitigations for this Linux kernel vulnerability.
+
 ## March 11 to 16, 2024

 [openssh](packages/openssh.md) rebased on upstream EL 8.7p1-34.3 with fixes for CVE-2023-48795 (Terrapin attack) and CVE-2023-51385, now building it without Kerberos support (further shortens `ldd sshd` from 20 to 13 lines, down from 28 lines in upstream EL).
Author	SHA1	Message	Date
Neil Hanlon	f91c83801a	Merge pull request 'Add issues/CVE-2024-1086.md' (#27 ) from solardiz-patch-25 into main mkdocs build / build (push) Successful in 28s Details Reviewed-on: #27 Reviewed-by: Neil Hanlon <neil@noreply@resf.org>	2024-03-28 19:06:19 +00:00
Solar Designer	615f3861cd	Add issues/CVE-2024-1086.md	2024-03-28 19:54:24 +01:00