Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

CISA Warns of Exploited Linux Kernel Vulnerability

CISA instructs federal agencies to mitigate CVE-2024-1086, a Linux kernel flaw leading to privilege escalation.

The US cybersecurity agency CISA on Thursday warned organizations that threat actors are actively exploiting a recent vulnerability in the Linux kernel.

Tracked as CVE-2024-1086, the bug is described as a use-after-free issue in the ‘netfilter: nf_tables’ component. Its exploitation allows a local attacker to elevate their privileges.

Linux kernel versions between 5.14 and 6.6 are affected by the flaw, with the underlying issue potentially affecting all kernel iterations starting with version 3.15.

Patches were released in February 2024, with AlmaLinux, Debian, Gentoo, Red Hat, SUSE, and Ubuntu confirmed to be impacted. Other Linux distributions might be vulnerable as well.

In late March, Notselwyn, the bug hunter who discovered CVE-2024-1086, published proof-of-concept (PoC) code, claiming a 99.4% success rate and warning that the vulnerability is trivial to exploit.

The bug, the researcher explains in a technical writeup, is a double-free bug rooted in insufficient input sanitization in netfilter when nf_tables and unprivileged user namespaces are enabled.

“The exploit is data-only and performs a kernel-space mirroring attack (KSMA) from userland with the novel Dirty Pagedirectory technique (pagetable confusion), where it is able to link any physical address (and its permissions) to virtual memory addresses by performing just read/writes to userland addresses,” Notselwyn notes. Dirty Pagedirectory is a variation of Dirty Pagetable.

Successful exploitation of the vulnerability leads to a crash or to arbitrary code execution in the kernel, and the researcher explains how the bug can be targeted to drop a universal root shell.

Advertisement. Scroll to continue reading.

On Thursday, two months after the exploit was made public, CISA added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) catalog, warning that threat actors are targeting it in the wild. 

The agency made no mention of the flaw being exploited in ransomware attacks. No information appears to be available on the attacks involving CVE-2024-1086.

Per Binding Operational Directive (BOD) 22-01, federal agencies have until June 20 to apply the available patches or mitigations.

“Although BOD 22-01 only applies to FCEB agencies, CISA strongly urges all organizations to reduce their exposure to cyberattacks by prioritizing timely remediation,” the cybersecurity agency notes.

Related: CISA Warns of Exploited Vulnerabilities in EOL D-Link Products

Related: ‘WallEscape’ Linux Vulnerability Leaks User Passwords

Related: Supply Chain Attack: Major Linux Distributions Impacted by XZ Utils Backdoor

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Gabriel Agboruche has been named Executive Director of OT and Cybersecurity at Jacobs.

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

More People On The Move

Expert Insights