wiki/docs/issues/CVE-2024-1086.md

CVE-2024-1086: kernel

Title

CVE-2024-1086: kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function

Summary

As briefly described by Red Hat:

A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the nft_verdict_init() function, allowing positive values as a drop error within the hook verdict, therefore, the nf_hook_slow() function can cause a double-free vulnerability when NF_DROP is issued with a drop error that resembles NF_ACCEPT. The nf_tables component can be exploited to achieve local privilege escalation.

Exploitation of the flaw is described in great detail in a blog post by Notselwyn.

Public disclosure date: March 26, 2024 for the above blog post, which made the issue widely known

Status

Both EL9 and EL8 are affected. We will of course rebuild upstream's fix as soon as it arrives.

Mitigation

Meanwhile, we recommend two mitigations:

• If you don't use containers, we recommend that you disable user namespaces e.g. by running the below commands as root:

echo user.max_user_namespaces=0 > /etc/sysctl.d/userns.conf
sysctl -p /etc/sysctl.d/userns.conf

This is a mitigation also suggested by Red Hat. It is expected to fully mitigate this and other/future related vulnerabilities.

• Install our package of LKRG, start and enable the service.

This does not fully mitigate the vulnerability, but it reliably prevents the specific exploit referenced above from working and produces LKRG alerts when the exploit is run. LKRG's feature that does so is its allow list for the kernel's usermodehelper. This will similarly prevent other/future exploits that abuse usermodehelper.