A vulnerability (CVE-2024-1086) has been identified in Netfilter, a subsystem of the Linux kernel used to filter and modify network packets, which allows a local user to execute code at the kernel level and raise their privileges in the system. The problem is caused by double-free memory in the nf_tables module, which provides operation of the nftables batch filter. The security researcher who identified the vulnerability developed and published a working prototype of the exploit, applicable to Linux kernels starting from release 3.15 and ending with 6.8-rc1.
The exploit was demonstrated in the latest Debian and Ubuntu releases with Linux kernels 5.14 - 6.6, as well as in the environment with the KernelCTF (Capture the Flag) kernel, which includes additional patches to block typical methods of exploiting exploits and is used by Google in the program for paying rewards for finding vulnerabilities. The success rate of the exploit is estimated at 99.4%. The accompanying article explains in detail the process of creating a complex multi-level exploit and bypassing the mechanisms of protecting and countering the work of exploits that are present in the kernel.
The problem is related to an error in the nft_verdict_init () function, which allows using positive values as a DROP error code in hooks, which can be used to call the nf_hook_slow() function to re-release memory for a buffer for which the free () function was already called. The problem occurs when the NF_DROP operation is formed with an error and the kernel first interprets NF_DROP, but then frees the buffer and returns the NF_ACCEPT status. This situation leads to the fact that despite the release of the buffer associated with the packet, its processing is not stopped, but is passed to another handler, which in turn calls the memory release function for the second time.
The vulnerability appears starting from Linux kernel version 3.15, but the exploit works with kernels starting from 5.14. A fix for the vulnerability was proposed in the release of the Linux kernel 6.8-rc1 and was moved to the stable branches 5.15.149, 6.1.76 and 6.6.15 at the end of February.
Additionally, we can note a series of vulnerabilities in the ksmbd module, which offers a built-in Linux kernel implementation of a file server based on the SMB protocol: The vulnerability, CVE-2024-26592, allows you to remotely execute your code with kernel rights on systems with the activated ksmbd module without passing authentication. The problem is caused by a race condition in the TCP connection processing code, which occurs due to the lack of setting proper locks when working with an object.
The vulnerability, CVE-2023-52440, also allows you to remotely execute your code with kernel rights, but is caused by a buffer overflow when processing incorrect session keys due to the lack of proper verification of the size of data received from the user before copying it to a fixed-size buffer.
Vulnerabilities (1, 2, 3) CVE-2024-26594, CVE-2023-52442 and CVE-2023-52441 in ksmbd make it possible to determine the contents of kernel memory remotely without passing authentication. Vulnerability CVE-2024-26594 is caused by incorrect data validation when processing incoming SMB2 Mech tokens, which leads to data being returned from an area outside the buffer boundary. Vulnerability CVE-2023-52442 is caused by the lack of proper verification of input data when processing chained requests. Vulnerability CVE-2023-52441 is caused by the lack of necessary input validation when processing SMB2 connection negotiation requests.
Vulnerabilities CVE-2024-26594 and CVE-2024-26592 are fixed in kernel 6.8 and corrective updates of previous stable branches 6.1.75, 6.6.14, 6.7.2. Other vulnerabilities are fixed in kernel 6.5 and updates 5.15.145, 6.1.53, 6.4.16.
In conclusion, we can mention the activation of the new Linux kernel development team, which was created to analyze the presence of vulnerabilities and assess the relationship of fixes made in the kernel with security issues. In February, kernel developers created their own CNA (CVE Numbering Authority) service, which received the authority to independently assign CVE identifiers to vulnerabilities. Prior to this, adding a CVE and analyzing the connection between fixes and possible vulnerabilities fell on the shoulders of distribution developers, and in the kernel, potential vulnerabilities were not highlighted and appeared on a par with regular fixes. The results of the new service exceeded all expectations - up to several dozen new vulnerabilities are marked daily in the kernel that were not previously marked as security problems. For example, on March 26, new CVE IDs were assigned to 14 vulnerabilities that were not previously considered security issues, and on March 25, 41 vulnerabilities were assigned.
The exploit was demonstrated in the latest Debian and Ubuntu releases with Linux kernels 5.14 - 6.6, as well as in the environment with the KernelCTF (Capture the Flag) kernel, which includes additional patches to block typical methods of exploiting exploits and is used by Google in the program for paying rewards for finding vulnerabilities. The success rate of the exploit is estimated at 99.4%. The accompanying article explains in detail the process of creating a complex multi-level exploit and bypassing the mechanisms of protecting and countering the work of exploits that are present in the kernel.
The problem is related to an error in the nft_verdict_init () function, which allows using positive values as a DROP error code in hooks, which can be used to call the nf_hook_slow() function to re-release memory for a buffer for which the free () function was already called. The problem occurs when the NF_DROP operation is formed with an error and the kernel first interprets NF_DROP, but then frees the buffer and returns the NF_ACCEPT status. This situation leads to the fact that despite the release of the buffer associated with the packet, its processing is not stopped, but is passed to another handler, which in turn calls the memory release function for the second time.
The vulnerability appears starting from Linux kernel version 3.15, but the exploit works with kernels starting from 5.14. A fix for the vulnerability was proposed in the release of the Linux kernel 6.8-rc1 and was moved to the stable branches 5.15.149, 6.1.76 and 6.6.15 at the end of February.
Additionally, we can note a series of vulnerabilities in the ksmbd module, which offers a built-in Linux kernel implementation of a file server based on the SMB protocol: The vulnerability, CVE-2024-26592, allows you to remotely execute your code with kernel rights on systems with the activated ksmbd module without passing authentication. The problem is caused by a race condition in the TCP connection processing code, which occurs due to the lack of setting proper locks when working with an object.
The vulnerability, CVE-2023-52440, also allows you to remotely execute your code with kernel rights, but is caused by a buffer overflow when processing incorrect session keys due to the lack of proper verification of the size of data received from the user before copying it to a fixed-size buffer.
Vulnerabilities (1, 2, 3) CVE-2024-26594, CVE-2023-52442 and CVE-2023-52441 in ksmbd make it possible to determine the contents of kernel memory remotely without passing authentication. Vulnerability CVE-2024-26594 is caused by incorrect data validation when processing incoming SMB2 Mech tokens, which leads to data being returned from an area outside the buffer boundary. Vulnerability CVE-2023-52442 is caused by the lack of proper verification of input data when processing chained requests. Vulnerability CVE-2023-52441 is caused by the lack of necessary input validation when processing SMB2 connection negotiation requests.
Vulnerabilities CVE-2024-26594 and CVE-2024-26592 are fixed in kernel 6.8 and corrective updates of previous stable branches 6.1.75, 6.6.14, 6.7.2. Other vulnerabilities are fixed in kernel 6.5 and updates 5.15.145, 6.1.53, 6.4.16.
In conclusion, we can mention the activation of the new Linux kernel development team, which was created to analyze the presence of vulnerabilities and assess the relationship of fixes made in the kernel with security issues. In February, kernel developers created their own CNA (CVE Numbering Authority) service, which received the authority to independently assign CVE identifiers to vulnerabilities. Prior to this, adding a CVE and analyzing the connection between fixes and possible vulnerabilities fell on the shoulders of distribution developers, and in the kernel, potential vulnerabilities were not highlighted and appeared on a par with regular fixes. The results of the new service exceeded all expectations - up to several dozen new vulnerabilities are marked daily in the kernel that were not previously marked as security problems. For example, on March 26, new CVE IDs were assigned to 14 vulnerabilities that were not previously considered security issues, and on March 25, 41 vulnerabilities were assigned.
