From cb065e6fd6d45c3c578520d60dc7d3f367b2e1f7 Mon Sep 17 00:00:00 2001 From: Solar Designer Date: Thu, 18 Apr 2024 17:28:24 +0200 Subject: [PATCH] Update issues/CVE-2024-1086.md --- docs/issues/CVE-2024-1086.md | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/docs/issues/CVE-2024-1086.md b/docs/issues/CVE-2024-1086.md index 2a7c267..4fc85b9 100644 --- a/docs/issues/CVE-2024-1086.md +++ b/docs/issues/CVE-2024-1086.md @@ -14,9 +14,14 @@ Exploitation of the flaw is [described in great detail in a blog post by Notselw Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known -## Status +## EL9 -Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives. +Affected. We will of course rebuild upstream's fix as soon as it arrives. Meanwhile, please refer to the mitigations below. + +## EL8 + +- Fixed in version: `kernel-4.18.0-513.24.1.el8_9` available April 5, 2024 +- Errata: [RLSA-2024:1607](https://errata.rockylinux.org/RLSA-2024:1607) issued April 5, 2024 ## Mitigation @@ -30,7 +35,9 @@ sysctl -p /etc/sysctl.d/userns.conf ``` This is a mitigation also suggested by Red Hat. -It is expected to fully mitigate this and other/future related vulnerabilities. +It is sufficient to fully mitigate this and other/future related vulnerabilities. + +- If you cannot disable user namespaces, you may nevertheless be able to [disable network namespaces](https://www.openwall.com/lists/oss-security/2024/04/14/1), which is also sufficient to fully mitigate this and some other/future related vulnerabilities. - Install our [package of LKRG](../packages/lkrg.md), start and enable the service. @@ -38,3 +45,5 @@ This does not fully mitigate the vulnerability, but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run. LKRG's feature that does so is its allow list for the kernel's usermodehelper. This will similarly prevent other/future exploits that abuse usermodehelper. +The remaining risks are Denial of Service (DoS) as even interrupted exploits may leave the system in an unstable state, +and a different exploit of the same vulnerability bypassing LKRG. -- 2.43.5