Linux Systems at Risk: Patch CVE-2024-1086 Immediately
Security researcher Notselwyn has discovered a new vulnerability in Linux that allows for root access acquisition. This flaw affects Linux kernel versions from 5.14 to 6.6.14.
The vulnerability, identified as CVE-2024-1086 with a CVSS score of 7.8, impacts many popular distributions, including Debian, Ubuntu, Red Hat, and Fedora. A double-free error in the Linux kernel’s netfilter component via nf_tables can lead to system crashes or arbitrary code execution. Linux kernel developers released patches to address this vulnerability at the end of January, and updates have since been distributed to users.
Notselwyn shared a detailed technical report on the flaw, revealing that an exploit was successful in 99.4% of attempts on kernel version 6.4.16. Notselwyn expressed particular delight in the project’s development, highlighting the thrill of gaining administrative rights for the first time by exploiting this vulnerability.
The flaw exploits a double-free error in the nft_verdict_init() function, potentially causing system crashes or arbitrary code execution. The attack requires the system to have the unprivileged user namespace option for nf_tables access enabled, which is the default setting in many distributions.
The exploit technique, dubbed Dirty Pagedirectory, allows an attacker to read and write to all system memory pages unrestrictedly, granting complete control over the vulnerable computer. The method relies on allocating the same kernel address for both the Page Upper Directory (PUD) and Page Middle Directory (PMD) by exploiting the double-free vulnerability.
The researcher shared a Proof of Concept (PoC) exploit, described as “trivial” to execute. In essence, after rewriting the kernel’s modprobe_path variable, the exploit launches a shell with root privileges, leaving the system fully under the attacker’s control.