[CDP-development] TLP: Green (Zero-Day Alert Notification): CVE-2024-1086 - Linux Kernel Use-After-Free Vulnerability

Fri May 31 07:34:37 PDT 2024

Good morning,

The SOC Services team is reporting on the vulnerability: CVE-2024-1086: Linux Kernel Use-After-Free Vulnerability. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:

History: On January 31, 2024, CVE2024-1086: Linux Kernel Use-After-Free Vulnerability was released by the National Vulnerability Database (NVD). The vulnerability currently was assigned a CVSSv3 score of 7.8. Additionally, this vulnerability has been released by CISA through its Known Exploited Vulnerability Catalog on May 30, 2024.

Affected Versions:

The number of affected operating systems is extensive; therefore, we will not be providing a list of affected software. However, you can use Tenable's Plugin CVE site to view the list of plugins and affected operating systems. The website link is: https://www.tenable.com/cve/CVE-2024-1086/plugins.

Intelligence: As of April 10, 2024, the vulnerability has been confirmed as being exploited in the wild.

Workarounds:  While not a workaround, Ubuntu has provided the following mitigation: If not needed, disable the ability for unprivileged usersto create namespaces.

To do this temporarily:

  sudo sysctl -w kernel.unprivileged_userns_clone=0

To disable across reboots:

  echo kernel.unprivileged_userns_clone=0 | \
  sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf

How it works: CVE-2024-1086 is a memory corruption flaw within the 'nft_verdict_init()' function of the Netfilter subsystem in the Linux kernel. This vulnerability arises from mishandling positive values as drop errors within the hook verdict during network packet evaluation. If the system misinterprets a drop action 'NF_DROP' as an acceptance action 'NF_ACCEPT', it may cause the 'nf_hook_slow()' function, responsible for processing network packets, to mistakenly attempt to free a memory address that has already been freed.

Post-Exploit: Successful exploitation would allow threat actors to gain access on the affected system.

As of May 30, 2024, Tenable has 107 plugins for this vulnerability, which can be found here: https://www.tenable.com/plugins/search?q=%22CVE-2024-1086%22&sort=&page=1. Alternatively, you can log into Tenable.sc and utilize the search bar at the top right corner on your dashboard, enter CVE-2024-1086 to find the results.
Recommended Actions:

  *   Verify host has not been compromised before applying patches.
  *   Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.
  *   Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  *   Apply the Principle of Least Privilege to all systems and services

[cid:image001.png at 01DAB285.1D4B2770]
Cyber Security Services
State of Oregon Cyber Security Services
Enterprise Information Services | SOC
Cyber Security Services (CSS)
SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378
"Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians."

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240531/4b92523b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 21907 bytes
Desc: image001.png
URL: <https://omls.oregon.gov/pipermail/cdp-development/attachments/20240531/4b92523b/attachment-0001.png>