CISA Alerts on Actively Exploited Linux Kernel Vulnerability

May 31, 2024

The U.S. Cybersecurity & Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog with two new vulnerabilities, one of which is a high-severity Linux kernel privilege elevation flaw. This flaw, identified as CVE-2024-1086, was initially disclosed on January 31, 2024. It is a use-after-free issue in the netfilter: nf_tables component of the Linux kernel. This component, introduced in February 2014, is part of the Netfilter framework that enables various operations related to networking, such as packet filtering, network address translation (NAT), and packet mangling.

The vulnerability arises from the 'nft_verdict_init()' function, which incorrectly allows positive values to be used as a drop error within the hook verdict. This leads to the 'nf_hook_slow()' function executing a double free when NF_DROP is issued with a drop error that resembles NF_ACCEPT. An attacker with local access to the system can exploit CVE-2024-1086 to escalate their privileges, potentially gaining root-level access. A commit submitted in January 2024 fixed the issue by rejecting QUEUE/DROP verdict parameters, thus preventing exploitation. This fix has been backported to several stable kernel versions.

In late March 2024, a security researcher known as 'Notselwyn' published a detailed analysis and proof-of-concept (PoC) exploit on GitHub. This demonstrated how to exploit the flaw for local privilege escalation on Linux kernel versions between 5.14 and 6.6. While most Linux distributions promptly rolled out fixes, Red Hat did not release a fix until March, leaving systems potentially vulnerable to threat actors using the public exploit.

CISA did not provide specific details about the exploitation of the vulnerability, but there have been posts on hacking forums discussing the public exploits. The agency has now mandated federal agencies to apply the available patches by June 20, 2024. If updates are not feasible, administrators are advised to implement certain mitigations.

The second vulnerability added to the KEV catalog by CISA, also with a patching deadline of June 20, is CVE-2024-24919. This is an information disclosure vulnerability affecting VPN devices from Check Point. After the vendor disclosed the flaw and released a security update, researchers from Watchtowr Labs published their analysis, highlighting that the vulnerability is more severe than what Check Point's bulletin suggested.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.