<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Aptos;}
@font-face
{font-family:Inter;
panose-1:0 0 0 0 0 0 0 0 0 0;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#467886;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
font-size:11.0pt;
font-family:"Aptos",sans-serif;
mso-ligatures:standardcontextual;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Aptos",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;
mso-ligatures:none;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1425567221;
mso-list-template-ids:794735032;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1
{mso-list-id:1496217853;
mso-list-type:hybrid;
mso-list-template-ids:1152963076 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#467886" vlink="#96607D" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">Good morning,<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif">The SOC Services team is reporting on the vulnerability:
<b>CVE-2024-1086: Linux Kernel Use-After-Free Vulnerability</b>. Due to its high visibility and knowledge of the software installed in the state environment, we are providing this in-depth information:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <span style="mso-ligatures:standardcontextual"><o:p></o:p></span></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">History</span></u></b><span style="font-family:"Calibri",sans-serif">: On January 31, 2024, CVE2024-1086:<b> Linux Kernel Use-After-Free Vulnerability</b> was released by the National
Vulnerability Database (NVD). The vulnerability currently was assigned a CVSSv3 score of 7.8. Additionally, this vulnerability has been released by CISA through its Known Exploited Vulnerability Catalog on May 30, 2024.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal"><u><span style="font-family:"Calibri",sans-serif">Affected Versions:<o:p></o:p></span></u></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"><o:p> </o:p></span></p>
<p class="MsoNormal">The number of affected operating systems is extensive; therefore, we will not be providing a list of affected software. However, you can use Tenable’s Plugin CVE site to view the list of plugins and affected operating systems. The website
link is: <a href="https://www.tenable.com/cve/CVE-2024-1086/plugins"><span style="color:windowtext">https://www.tenable.com/cve/CVE-2024-1086/plugins</span></a>.<span style="font-family:"Calibri",sans-serif;background:yellow;mso-highlight:yellow"><o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;background:yellow;mso-highlight:yellow"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Intelligence</span></u></b><span style="font-family:"Calibri",sans-serif">: As of April 10, 2024, the vulnerability has been confirmed as being exploited in the wild.
<span style="background:yellow;mso-highlight:yellow"><o:p></o:p></span></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif;background:yellow;mso-highlight:yellow"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Workarounds:</span></u></b><span style="font-family:"Calibri",sans-serif"> While not a workaround, Ubuntu has provided the following mitigation: If not needed, disable the ability for
unprivileged usersto create namespaces. <o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">To do this temporarily:<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><o:p><span style="text-decoration:none"> </span></o:p></u></b></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> sudo sysctl -w kernel.unprivileged_userns_clone=0<o:p></o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">To disable across reboots:<o:p></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><o:p><span style="text-decoration:none"> </span></o:p></u></b></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> echo kernel.unprivileged_userns_clone=0 | \<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> sudo tee /etc/sysctl.d/99-disable-unpriv-userns.conf<o:p></o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif;background:yellow;mso-highlight:yellow"><o:p><span style="text-decoration:none"> </span></o:p></span></u></b></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">How it works</span></u></b><span style="font-family:"Calibri",sans-serif">: CVE-2024-1086 is a memory corruption flaw within the ‘nft_verdict_init()’ function of the Netfilter subsystem
in the Linux kernel. This vulnerability arises from mishandling positive values as drop errors within the hook verdict during network packet evaluation. If the system misinterprets a drop action 'NF_DROP' as an acceptance action 'NF_ACCEPT', it may cause the
'nf_hook_slow()' function, responsible for processing network packets, to mistakenly attempt to free a memory address that has already been freed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif;background:yellow;mso-highlight:yellow"><o:p> </o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Post-Exploit</span></u></b><span style="font-family:"Calibri",sans-serif">:
<span style="color:#222222;background:white">Successful exploitation would allow threat actors to gain
</span><span style="color:black;background:white">access </span></span><span style="font-family:"Inter",serif;color:#222222;background:white">on the affected system.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Inter",serif;color:#222222;background:white"><o:p> </o:p></span></p>
<p class="MsoNormal" style="margin-bottom:12.0pt"><span style="font-family:"Calibri",sans-serif">As of May 30, 2024, Tenable has 107 plugins for this vulnerability, which can be found here:
<a href="https://www.tenable.com/plugins/search?q=%22CVE-2024-1086%22&sort=&page=1">
https://www.tenable.com/plugins/search?q=%22CVE-2024-1086%22&sort=&page=1</a>. Alternatively, you can log into Tenable.sc and utilize the search bar at the top right corner on your dashboard, enter CVE-2024-1086 to find the results.<o:p></o:p></span></p>
<p class="MsoNormal"><b><u><span style="font-family:"Calibri",sans-serif">Recommended Actions</span></u></b><span style="font-family:"Calibri",sans-serif">:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-family:"Calibri",sans-serif"> <o:p></o:p></span></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoNormal" style="mso-list:l1 level1 lfo3">Verify host has not been compromised before applying patches.<o:p></o:p></li><li class="MsoListParagraph" style="margin-left:0in;mso-list:l1 level1 lfo3">Apply appropriate updates provided by vendor to vulnerable systems immediately after appropriate testing.<o:p></o:p></li><li class="MsoNormal" style="mso-list:l1 level1 lfo3">Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.<o:p></o:p></li><li class="MsoNormal" style="mso-list:l1 level1 lfo3">Apply the Principle of Least Privilege to all systems and services<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="702" style="width:526.5pt;border-collapse:collapse">
<tbody>
<tr style="height:63.0pt">
<td width="118" valign="top" style="width:88.35pt;padding:0in 4.65pt 0in 4.65pt;height:63.0pt">
<p class="MsoNormal" style="line-height:105%"><span style="color:#1F497D"><img border="0" width="121" height="87" style="width:1.2604in;height:.9062in" id="Picture_x0020_4" src="cid:image001.png@01DAB285.1D4B2770"></span><span style="color:#1F497D"><o:p></o:p></span></p>
</td>
<td width="493" valign="top" style="width:369.65pt;padding:0in 4.65pt 0in 4.65pt;height:63.0pt">
<p class="MsoNormal" style="line-height:105%"><b>Cyber Security Services<o:p></o:p></b></p>
<p class="MsoNormal" style="line-height:105%">State of Oregon Cyber Security Services<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%">Enterprise Information Services | SOC<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%">Cyber Security Services (CSS)<o:p></o:p></p>
<p class="MsoNormal" style="line-height:105%">SOC Hotline: (503) 378-5930 | SOC Services (503) 373-0378<span style="color:#1F497D"><o:p></o:p></span></p>
</td>
</tr>
<tr>
<td width="611" colspan="2" valign="top" style="width:458.05pt;padding:0in 4.65pt 0in 4.65pt">
<p class="MsoNormal" style="line-height:105%"><i><span style="color:#2E74B5">“Ensuring user-friendly, reliable and secure state technology systems that serve Oregonians.”<o:p></o:p></span></i></p>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><span style="mso-ligatures:standardcontextual"><o:p> </o:p></span></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>