Bug 2262126 (CVE-2024-1086) - CVE-2024-1086 kernel: nf_tables: use-after-free vulnerability in the nft_verdict_init() function
Summary: CVE-2024-1086 kernel: nf_tables: use-after-free vulnerability in the nft_verd...
Keywords:
Status: NEW
Alias: CVE-2024-1086
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
: CVE-2024-26609 (view as bug list)
Depends On: 2262128
Blocks: 2269240 2262125
TreeView+ depends on / blocked
 
Reported: 2024-01-31 18:06 UTC by Patrick Del Bello
Modified: 2024-04-26 12:16 UTC (History)
61 users (show)

Fixed In Version: kernel 6.8-rc2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Netfilter subsystem in the Linux kernel. This issue occurs in the nft_verdict_init() function, allowing positive values as a drop error within the hook verdict, therefore, the nf_hook_slow() function can cause a double-free vulnerability when NF_DROP is issued with a drop error that resembles NF_ACCEPT. The nf_tables component can be exploited to achieve local privilege escalation.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:1338 0 None None None 2024-03-14 15:52:24 UTC
Red Hat Product Errata RHBA-2024:1350 0 None None None 2024-03-18 08:41:27 UTC
Red Hat Product Errata RHBA-2024:1699 0 None None None 2024-04-08 14:54:20 UTC
Red Hat Product Errata RHSA-2024:0930 0 None None None 2024-02-21 00:27:49 UTC
Red Hat Product Errata RHSA-2024:1018 0 None None None 2024-02-28 12:41:40 UTC
Red Hat Product Errata RHSA-2024:1019 0 None None None 2024-02-28 12:34:16 UTC
Red Hat Product Errata RHSA-2024:1249 0 None None None 2024-03-12 00:47:38 UTC
Red Hat Product Errata RHSA-2024:1332 0 None None None 2024-03-14 14:51:24 UTC
Red Hat Product Errata RHSA-2024:1404 0 None None None 2024-03-19 17:28:07 UTC
Red Hat Product Errata RHSA-2024:1607 0 None None None 2024-04-02 15:55:52 UTC
Red Hat Product Errata RHSA-2024:1614 0 None None None 2024-04-02 17:22:05 UTC

Description Patrick Del Bello 2024-01-31 18:06:13 UTC 
A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation.

The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT.

We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f342de4e2f33e0e39165d8639387aa6c19dff660
https://kernel.dance/f342de4e2f33e0e39165d8639387aa6c19dff660
Comment 1 Patrick Del Bello 2024-01-31 18:06:49 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2262128]
Comment 9 errata-xmlrpc 2024-02-21 00:27:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0930 https://access.redhat.com/errata/RHSA-2024:0930
Comment 11 errata-xmlrpc 2024-02-28 12:34:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1019 https://access.redhat.com/errata/RHSA-2024:1019
Comment 12 errata-xmlrpc 2024-02-28 12:41:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:1018 https://access.redhat.com/errata/RHSA-2024:1018
Comment 13 errata-xmlrpc 2024-03-12 00:47:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1249 https://access.redhat.com/errata/RHSA-2024:1249
Comment 17 errata-xmlrpc 2024-03-14 14:51:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2024:1332 https://access.redhat.com/errata/RHSA-2024:1332
Comment 19 errata-xmlrpc 2024-03-19 17:28:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:1404 https://access.redhat.com/errata/RHSA-2024:1404
Comment 21 Alex 2024-04-02 10:51:02 UTC 
*** Bug 2269217 has been marked as a duplicate of this bug. ***
Comment 22 errata-xmlrpc 2024-04-02 15:55:47 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1607 https://access.redhat.com/errata/RHSA-2024:1607
Comment 23 errata-xmlrpc 2024-04-02 17:22:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:1614 https://access.redhat.com/errata/RHSA-2024:1614
Comment 26 Alexander Peslyak 2024-04-07 00:16:18 UTC 
Hi. https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all (it only mentions other major versions and 9.2 EUS), whereas 9.3 is in fact affected - the published exploit just works all the way to a root shell. I wonder if this maybe slipped through the cracks, and actually delays fixing the issue for 9.3/9.4? And even if not, it's something to fix on that access page. Thanks!
Comment 29 Alexander Peslyak 2024-04-08 17:54:37 UTC 
> https://access.redhat.com/security/cve/CVE-2024-1086 does not mention RHEL 9 latest at all

Oops, I was wrong, sorry! It does say RHEL 9 is Affected on the second page of results (the first page is "1-10 of 12"). I find this UI non-intuitive, and keep forgetting more pages of results may exist. Anyway, good to know the issue is known and acknowledged.
Note You need to log in before you can comment on or make changes to this bug.