The Cybersecurity and Infrastructure Security Agency (CISA) has issued a serious warning after confirming that a critical flaw in the Linux Kernel, tracked as CVE-2024-1086, is being actively exploited in ongoing ransomware attacks targeting Linux systems worldwide.
The Flaw and Its Impact
CVE-2024-1086 is a use after free vulnerability located in the Linux Kernel’s netfilter: nf_tables component. The flaw arises because the nft_verdict_init() function improperly allows positive
values to be used as a drop error within the hook verdict. This can lead to a double free scenario when NF_DROP is mishandled.
While the faulty code originated from a commit introduced back in February 2014, the vulnerability wasn't officially disclosed until January 31, 2024, with a patch submitted that same month.
The Linux Kernel flaw affects versions ranging from 3.15 up to 6.8 rc1, meaning a wide range of major Linux distributions are vulnerable. Impacted systems include popular versions of Ubuntu (18.04, 20.04, 22.04, 23.10), Red Hat Enterprise Linux (RHEL), and Debian.
Exploitation of CVE-2024-1086 allows attackers with local access to escalate their privileges to root level, granting them full control of the compromised systems. With root access, threat actors can disable security protections, install malware, move laterally within a network, steal data, and deploy ransomware payloads.
CISA Warning and Mitigation
CISA has now confirmed the active use of CVE-2024-1086 in ransomware attacks. The agency added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 30, 2024, and ordered federal agencies to apply security patches or mitigations no later than June 20, 2024. CISA officially described the flaw as a "frequent attack vector for malicious cyber actors," emphasizing the significant risks it poses to government and enterprise networks alike.
The risk is heightened by the public availability of an exploit. In late March 2024, a security researcher released a detailed write up and a proof of concept (PoC) exploit for the vulnerability. This exploit has proven to be highly reliable, showing success rates exceeding 99% in some tests.
System administrators are urgently advised to check their kernel version using the command uname -r. To protect against exploitation:
- Update to Linux Kernel 6.8 rc2 or later, or apply vendor provided patches immediately.
- Blocklist the nf_tables module if it is not strictly required.
- Restrict access to user namespaces to minimize the attack surface.
· Consider loading the Linux Kernel Runtime Guard (LKRG) module to add runtime protection.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
