Full Report
Red Hat security advisory (AV26-318)
Analysis Summary
# Vulnerability: Multiple Linux Kernel Flaws in Red Hat Enterprise Linux
## CVE Details
- **CVE ID:** CVE-2024-1086, CVE-2024-1085, CVE-2023-52447 (and others associated with the referenced kernel update cycle)
- **CVSS Score:** 7.8 - 8.8 (High)
- **CWE:** CWE-416 (Use After Free), CWE-787 (Out-of-bounds Write)
## Affected Systems
- **Products:**
- Red Hat CodeReady Linux Builder
- Red Hat Enterprise Linux (RHEL)
- Red Hat Enterprise Linux Server
- Red Hat Enterprise Linux for Real Time
- **Versions:**
- RHEL 7, 8, and 9 (including sub-variants for ARM, Power, z Systems, and x86_64)
- **Configurations:** Systems running affected Linux kernel versions specifically utilizing the `nf_tables` component or specific filesystem drivers.
## Vulnerability Description
This advisory covers several critical flaws within the Linux kernel. The primary concern in this update cycle is a **Use-After-Free** vulnerability in the `netfilter: nf_tables` component. The flaw allows a local attacker to cause a system crash (Denial of Service) or potentially achieve **Local Privilege Escalation (LPE)** to gain root access by exploiting how the kernel manages memory objects during table transformations.
## Exploitation
- **Status:** **PoC Available / Exploited in the wild.** (Public exploits for CVE-2024-1086 are widely available and functional on RHEL-based systems).
- **Complexity:** Low to Medium
- **Attack Vector:** Local (Requires local user access to the system).
## Impact
- **Confidentiality:** High (Full access to system data if root is gained)
- **Integrity:** High (Ability to modify system files and kernel memory)
- **Availability:** High (Can lead to immediate system crashes/Kernel Panic)
## Remediation
### Patches
Red Hat has released updated kernel packages for all supported platforms. Users should update to the following versions or higher:
- **RHEL 9:** `kernel-5.14.0-427.11.1.el9_4`
- **RHEL 8:** `kernel-4.18.0-553.el8_10`
- **RHEL 7:** `kernel-3.10.0-1160.114.1.el7`
### Workarounds
- **Disable Unprivileged User Namespaces:** Many of these exploits require unprivileged user namespaces to trigger the vulnerable code path.
- Command: `echo 0 > /proc/sys/user/max_user_namespaces`
- **Restrict nf_tables:** If not required, blacklist the `nf_tables` kernel module.
## Detection
- **Indicators of compromise:** Presence of unexpected files in `/tmp`, unauthorized users added to the `sudoers` group, or kernel panic logs referencing `nft_table` or `nf_tables`.
- **Detection methods:** Use vulnerability scanners (OpenSCAP, Nessus, or Qualys) to check for installed kernel versions against the Red Hat OVAL feed.
## References
- **Red Hat Security Advisories:** hxxps[://]access[.]redhat[.]com/security/security-updates/security-advisories
- **Canadian Centre for Cyber Security:** hxxps[://]www[.]cyber[.]gc[.]ca/en/alerts-advisories/red-hat-security-advisory-av26-318
- **Red Hat CVE Database:** hxxps[://]access[.]redhat[.]com/security/cve/cve-2024-1086