Linux vulnerability: Attackers gain root privileges
The IT security authority CISA warns of active attacks on a Linux vulnerability. Attackers use it to gain root rights.
A security vulnerability in the Linux kernel is being actively attacked, warns the US cyber security authority CISA. Malicious actors are using it to gain root privileges
on vulnerable systems.
According to the CISA warning, this is a use-after-free vulnerability in the Linux kernel. Specifically, the security-relevant error can be found in the nf_tables component
of Netfilter. The specific explanation is more for those familiar with kernel code: The nft_verdict_init()
function allows positive values as "drop" errors, which is why the nf_hook_slow()
function can trigger a double release of resources. This is the case if an NF_DROP
(for a package) occurs with a "drop" error that resembles NF_ACCEPT
- i.e. passes a positive instead of an expected negative value (CVE-2024-1086).
Linux vulnerability known since January
There is a summary on the OSS security mailing list that dates the origin of the vulnerability back to 2014. Linus Torvalds included a patch to close the gap in the sources in January of this year. In March, the user Notselwyn published a proof-of-concept exploit that demonstrates the exploitation of the vulnerability to gain root privileges
with a high degree of reliability.
According to Notselwyn, the exploit works on unpatched kernels 5.14 to 6.6, but kernels 3.15 to 6.8-rc1 are vulnerable. As Ubuntu and Debian use activated user namespaces, unprivileged user namespaces and activated nf_tables
by default, these are vulnerable with old kernels. Patched kernels have been available since February, for example for Debian (except Buster), Fedora, Red Hat or Ubuntu. Linux admins should therefore ensure that they keep the kernels on their systems up to date to avoid falling victim to the attacks now being observed in the wild.
In April, an exploit for another root vulnerability
in the GSM subsystem of the Linux kernel was published. At the time of reporting, this was still unpatched. Meanwhile, however, Greg Kroah-Hartman has explained that corrections have been made in the stable and long-term kernels.
(dmk)