CISA Alerts on Extensively Exploited Linux Privilege Elevation Vulnerability
The two new vulnerabilities that the U.S. Cybersecurity & Infrastructure Security Agency (CISA) has added to its list of known exploited vulnerabilities (KEV) are both related to the privilege elevation of the Linux kernel.
- A new Linux kernel security vulnerability has been added by CISA to its list of known exploited vulnerabilities (KEVs).
- Attackers can escalate their privileges through the CVE-2024-1086 vulnerability, which even permits the execution of random code.
What’s CVE-2024-1086?
CVE-2024-1086 (CVSS score: 7.8) is a high-severity vulnerability that stems from a netfilter component use-after-free issue that allows a local attacker to escalate privileges from a regular user to root and potentially execute arbitrary code.
Initially introduced by a commit in February 2014, the high-severity flaw identified as CVE-2024-1086 was first discovered on January 31, 2024, as a use-after-free issue in the netfilter: nf_tables component.
Recommended: What Is Privilege Escalation? How to Detect and Prevent Privilege Escalation Attacks in Windows?
The Linux kernel offers a framework called Netfilter that facilitates several networking-related functions, including filtering of packets, network address translation (NAT), and packet mangling.
The vulnerability stems from the fact that the ‘nft_verdict_init()’ function permits positive values to be used as a drop error within the hook verdict. This leads to the execution of a double free in the ‘nf_hook_slow()’ function when NF_DROP is delivered with a drop error that looks similar to NF_ACCEPT.
An attacker with local access can escalate their privileges on the target system and could potentially gain root-level access by taking advantage of CVE-2024-1086.
By rejecting QUEUE/DROP verdict parameters and so blocking exploitation, a commit made in January 2024 resolved the issue.
The vulnerability has been known to be actively exploited since January 2024, despite a patch being available since then. Although it is advised that government entities implement the patches by June 20, 2024, CISA has not disclosed any information about the specific types of attacks that take advantage of this vulnerability.
Recommended: What is Privilege Escalation in AWS?Recommendations to Prevent the Risk of Privilege Escalation on AWS
CISA updated its KEV catalogue with a new vulnerability, CVE-2024-24919, that affects Check Point network gateway security solutions.
Attackers can read data from gateways with remote access VPNs or mobile access enabled because of this vulnerability. It has been utilized by threat actors to get access to distant firewalls and attack corporate networks.
Security Recommendations
Administrators are advised to implement the following mitigations if updating is not feasible:
- If ‘nf_tables’ is not required or is not being utilised, blocklist it.
- Limit the attack surface by limiting user namespace access.
- Lload the Linux Kernel Runtime Guard (LKRG) module.
Organizations must embrace a proactive, intelligence-driven strategy for cyber security because of the ever-present and dynamic nature of cyber threats, such as those that take advantage of CVE-2024-24919.
To make sure that your security posture is flexible to transforming challenges, a variety of security recommendations and updates offer the most advanced capacity to identify, assess, and remove risks safely and instantly.
