CISA Alert: Urgent Patching Required for Linux Kernel Vulnerability
- Given the active exploitation of this Linux kernel vulnerability, federal agencies are strongly urged to apply patches by June 20, 2024.
- This vulnerability, tracked as CVE-2024-1086, carries a high-severity rating with a CVSS score of 7.8.
- KernelCare live patches for CVE-2024-1086 are available to be applied right now.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently included a Linux kernel vulnerability in its Known Exploited Vulnerabilities (KEV) catalog. This action was taken due to evidence of active exploitation of the flaw in the wild.
The vulnerability, tracked as CVE-2024-1086, is a use-after-free flaw in the Netfilter subsystem of the Linux kernel.
Netfilter is a powerful framework that provides the Linux kernel’s networking capabilities, such as packet filtering, network address translation (NAT), and other forms of network packet manipulation. It enables developers to create custom handlers for processing network packets as they pass through various stages of the networking stack.
About CVE-2024-1086
The issue was found in the nft_verdict_init() function, which allows positive values as drop error within the hook verdict. As a result, the nf_hook_slow() function can trigger a double-free vulnerability when NF_DROP is issued with a drop error similar to NF_ACCEPT.
By exploiting this flaw, a local attacker can escalate privileges from a regular user to root, potentially enabling the execution of arbitrary code. It carries a high severity rating with a CVSS score of 7.8.
CISA has recommended that federal agencies apply the latest security updates by June 20, 2024, to protect their networks from potential threats arising from this Linux kernel vulnerability. However, due to the critical nature of this issue, all organizations using Linux systems are urged to prioritize patching immediately.
Live Patching Linux Kernel Vulnerabilities
TuxCare’s KernelCare Enterprise offers automated live patching services for Linux servers, allowing you to apply critical kernel security updates without rebooting your systems. KernelCare live patching eliminates downtime associated with traditional patching, minimizing disruptions to ongoing operations and ensuring business continuity. This is particularly valuable for critical servers that can’t afford downtime.
The KernelCare team has already released a live patch for CVE-2024-1086. Live patches are available for CloudLinux 6h and CloudLinux 7, AlmaLinux 8 and AlmaLinux 9, CloudLinux 7h and CloudLinux 8, Ubuntu 16.04, Ubuntu 18.04, and more. As this vulnerability impacts multiple versions across various distributions, you can track the release status in the TuxCare CVE tracker.
Learn more about live patching for Linux.
Conclusion
TuxCare strongly advises immediate patching for this Linux kernel vulnerability (CVE-2024-1086), as proof-of-concept code is publicly available – making it easily exploitable by a local user on a vulnerable system.
In addition to CVE-2024-1086, CISA has also included a newly disclosed vulnerability (CVE-2024-24919, CVSS score: 7.5) in the KEV catalog. This flaw affects Check Point Security Gateways with IPSec VPN or Mobile Access blades enabled and allows an unauthenticated remote attacker to read sensitive information like password hashes. Attackers are actively exploiting it and federal agencies should implement the required security fixes by June 20, 2024.
Discover other high-severity privilege escalation vulnerabilities in the Linux kernel.
The sources for this article include a story from TheHackerNews.