In this article, we’ll examine CVE-2024-1086, a recently discovered privilege escalation vulnerability affecting various Linux distributions.
What is CVE-2024-1086?
CVE-2024-1086 is a serious security problem in certain older versions of the Linux operating system that affects how network traffic is managed. The flaw occurs when the system mishandles memory, allowing attackers to gain complete system control.
Simply put, this vulnerability allows a normal user to become an administrator (root), allowing them to change files, disable security, or install malware. It's especially dangerous as it grants full control without proper permission, enabling attackers to bypass protections and manipulate the system. Due to the exploit's low complexity and widespread use of affected systems, this CVE scored 7.8 on the CVSS scale.
Source: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-1086
Which Linux systems are affected?
Unfortunately, this vulnerability was found in major Linux distributions, including Debian, Fedora, Red Hat, and Ubuntu. Nearly any distribution with kernel versions from 3.15 to 6.8-rc1 is at risk of exploitation.
- Ubuntu:
- Ubuntu 18.04
- Ubuntu 20.04
- Ubuntu 22.04
- Ubuntu 23.10
- Red Hat:
- RHEL 7: 3.10.0-1062.4.1.el7
- RHEL 8: 4.18.0-147.el8
- RHEL 9: 5.14.0-362.24.2.el9_3
- Debian: Kernel-version 6.1.76-1
- Other major distributions using kernels between versions 3.15 and 6.8-rc1
Source: https://nvd.nist.gov/vuln/detail/CVE-2024-1086
How does the exploit work?
Exploiting this vulnerability grants attackers root access to systems running the affected versions, giving them full control to perform any malicious actions, including but not limited to:
- Privilege escalation: Attackers could execute arbitrary code with root privileges, bypassing the usual security controls.
- System takeover: Once root access is gained, attackers can control the entire system, disabling defenses, modifying files, or installing malware.
- Lateral movement: Compromised systems can be used to spread further across the network, potentially affecting other systems.
- Sensitive data theft: Attackers can gain access to sensitive information, exfiltrate important files, or disrupt system integrity.
How to protect your systems
Firstly, it’s worthwhile checking to see if your distribution is still vulnerable to this CVE.
To do this, run the command:
uname -r
This will let you know which version of the kernel you’re using. If the output of this command shows a kernel version between 3.15 and 6.8-rc1, your system may still be vulnerable to the exploit.
To defend against this, you’ll need to update to Linux kernel 6.8-rc2 or newer, which patches this vulnerability.
Final thoughts
The discovery of CVE-2024-1086 underscores the importance of maintaining up-to-date systems and taking proactive security measures. While kernel vulnerabilities can be particularly harmful, quick responses and thorough patching are key to preventing exploitation.
Want to learn more?
We have four (yes, four!) labs on this vulnerability in our platform, looking at it from different defensive tools and how you would use it for red-teaming exercises. You can find them here:
- CVE-2024-1086 Elastic Analysis – Defensive
- CVE-2024-1086 Microsoft Sentinel Analysis – Defensive
- CVE-2024-1086 Splunk Analysis – Defensive
- CVE-2024-1086 – Offensive
Share your thoughts
If CVE-2024-1086 has impacted your organization, we’d love to hear about your steps to mitigate the risk. Do you have any recommendations for preparing for similar vulnerabilities in the future?
Immerser