The US cybersecurity agency CISA on Thursday warned organizations that threat actors are actively exploiting a recent vulnerability in the Linux kernel.
Tracked as CVE-2024-1086, the bug is described as a use-after-free issue in the ‘netfilter: nf_tables’ component. Its exploitation allows a local attacker to elevate their privileges.
Linux kernel versions between 5.14 and 6.6 are affected by the flaw, with the underlying issue potentially affecting all kernel iterations starting with version 3.15.
Patches were released in February 2024, with AlmaLinux, Debian, Gentoo, Red Hat, SUSE, and Ubuntu confirmed to be impacted. Other Linux distributions might be vulnerable as well.
In late March, Notselwyn, the bug hunter who discovered CVE-2024-1086, published proof-of-concept (PoC) code, claiming a 99.4% success rate and warning that the vulnerability is trivial to exploit.
The bug, the researcher explains in a technical writeup, is a double-free bug rooted in insufficient input sanitization in netfilter when nf_tables and unprivileged user namespaces are enabled.
“The exploit is data-only and performs a kernel-space mirroring attack (KSMA) from userland with the novel Dirty Pagedirectory technique (pagetable confusion), where it is able to link any physical address (and its permissions) to virtual memory addresses by performing just read/writes to userland addresses,” Notselwyn notes. Dirty Pagedirectory is a variation of Dirty Pagetable.
Successful exploitation of the vulnerability leads to a crash or to arbitrary code execution in the kernel, and the researcher explains how the bug can be targeted to drop a universal root shell.
On Thursday, two months after the exploit was made public, CISA added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are targeting it in the wild.
The agency made no mention of the flaw being exploited in ransomware attacks. No information appears to be available on the attacks involving CVE-2024-1086.
Per Binding Operational Directive (BOD) 22-01, federal agencies have until June 20 to apply the available patches or mitigations.
“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation,” the cybersecurity agency notes.
Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products
Related: ‘WallEscape’ Linux Vulnerability Leaks User Passwords
Related: Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor
