CISA warned users of a severe vulnerability in Linux under active attack. While the vulnerability has already received a fix, it remains a threat to unpatched systems, allowing the attackers to exploit the flaw.
Linux Vulnerability Found Under Active Attack Despite Patch
According to the latest advisory from CISA, a new Linux vulnerability has been under active attack, threatening users globally. CISA added this vulnerability to its Known Exploited Vulnerabilities (KEV) Catalog, confirming the active exploitation and the threat severity.
Identified as CVE-2024-1086, the vulnerability is a use-after-free flaw in the netfilter: nf_tables component. Exploiting it allows an adversary with local access to gain elevated privileges (such as root access) on the target Linux system. As stated in the NVD vulnerability description,
A use-after-free vulnerability in the Linux kernel’s
netfilter: nf_tablescomponent can be exploited to achieve local privilege escalation. Thenft_verdict_init()function allows positive values as drop error within thehookverdict, and hence thenf_hook_slow()function can cause a double free vulnerability whenNF_DROPis issued with a drop error which resemblesNF_ACCEPT.
Linux developers patched this vulnerability in a January 2024 commit (commit f342de4e2f33e0e39165d8639387aa6c19dff660).
While CISA’s advisory doesn’t explain much about the exploit, the researcher with the alias “notselwyn” elaborated on it in a detailed post. The researcher also presented a PoC exploit (shared on GitHub), demonstrating the local privilege escalation.
Though the vulnerability swiftly received a fix, the threat became severe due to unpatched systems. As highlighted by Jonathan Wright, Red Hat Enterprise Linux (RHEL) developers didn’t push the fix in time, marking the vulnerability with a moderate severity level, which left many Linux systems vulnerable.
Understandably, unpatched systems are always lucrative for threat actors, often resulting in massive exploitation waves. While the exploitation for CVE-2024-1086 seemed minimal, it still triggered severe active attacks.
Deploy Patches By June 20th
Given the severity of the matter, CISA added this vulnerability to its KEV Catalog, instructing the organizations to patch their systems by June 20, 2024. In cases where applying a patch isn’t possible, CISA advised users to blocklist nf_tables, restrict access to user namespaces, and load the Linux Kernel Runtime Guard (LKRG) module.
Alongside this vulnerability, CISA added the recently highlighted Checkpoint VPN vulnerability, CVE-2024-24919, to its KEV Catalog.
Let us know your thoughts in the comments.