Federal Agency Warns (Patched) Critical Linux Vulnerability Being Actively Exploited (arstechnica.com) 21
"The US Cybersecurity and Infrastructure Security Agency has added a critical security bug in Linux to its list of vulnerabilities known to be actively exploited in the wild," reported Ars Technica on Friday.
"The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating of 7.8 out of a possible 10, allows people who have already gained a foothold inside an affected system to escalate their system privileges." It's the result of a use-after-free error, a class of vulnerability that occurs in software written in the C and C++ languages when a process continues to access a memory location after it has been freed or deallocated. Use-after-free vulnerabilities can result in remote code or privilege escalation. The vulnerability, which affects Linux kernel versions 5.14 through 6.6, resides in the NF_tables, a kernel component enabling the Netfilter, which in turn facilitates a variety of network operations... It was patched in January, but as the CISA advisory indicates, some production systems have yet to install it. At the time this Ars post went live, there were no known details about the active exploitation.
A deep-dive write-up of the vulnerability reveals that these exploits provide "a very powerful double-free primitive when the correct code paths are hit." Double-free vulnerabilities are a subclass of use-after-free errors...
"The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating of 7.8 out of a possible 10, allows people who have already gained a foothold inside an affected system to escalate their system privileges." It's the result of a use-after-free error, a class of vulnerability that occurs in software written in the C and C++ languages when a process continues to access a memory location after it has been freed or deallocated. Use-after-free vulnerabilities can result in remote code or privilege escalation. The vulnerability, which affects Linux kernel versions 5.14 through 6.6, resides in the NF_tables, a kernel component enabling the Netfilter, which in turn facilitates a variety of network operations... It was patched in January, but as the CISA advisory indicates, some production systems have yet to install it. At the time this Ars post went live, there were no known details about the active exploitation.
A deep-dive write-up of the vulnerability reveals that these exploits provide "a very powerful double-free primitive when the correct code paths are hit." Double-free vulnerabilities are a subclass of use-after-free errors...
NF_table? (Score:4, Interesting)
While serious, it is with NF_tables, IIRC a replacement for IPtables. Does anyone use NF_tables ?
Too bad the article did not do a "deep-dive" into how much use NF_tables get.
Re: NF_table? (Score:5, Interesting)
Anything that uses systemd/firewalld/networkd uses nffilter. I believe Kubernetes and Docker uses it too now because systemd compatibility mandates it.
Re: (Score:2)
That almost sounds like an admission that all the people that refuse to utilize the mess that is systemd were correct in doing so.
Re:NF_table? (Score:5, Informative)
It's in wide use. The iptables-nft compatibility layer preserves the traditional iptables CLI etc., but uses NF_tables for the actual rules. This is done in popular distros, so many people are using NT_tables without knowing and/or caring much.
Re: (Score:2)
Interesting, I did not know this. I am still using IPtables, I guess something passes through to NFTables based upon your post.
Thanks
Re:NF_table? (Score:5, Informative)
Interesting, I did not know this. I am still using IPtables, I guess something passes through to NFTables based upon your post.
Thanks
You are most likely using nf_tables, iptbales has been long gone for eons! You are just using iptables syntax to interact with nf_tables.
Simply type this command: lsmod
https://unix.stackexchange.com... [stackexchange.com]
Re: (Score:2)
The kernel changed to nftables internally which largely preserves reverse compatibility with iptables and the iptables tools were updated to use it transparently. You've probably been using nftables under the hood unwittingly for a few years without benefiting from any of it's extra features. (Not to imply that I know what they actually are.)
Re: (Score:2)
It's not just you.
Re: (Score:2)
It is. I found that my custom-kernels are not vulnerable (I do not add the things required to run containers), but stock Debian kernels are, unless new enough to be patched. Looks to me like Linux is getting too complex and too much stuff is on by default.
High level languages lead to bad habits. (Score:1)
I know you young punks think your high-level languages are the bees knees, but mistakes like this one are exactly what happens when you get lazy!
Important systems should be written in assembly, by real programmers who know what they are doing!
Sheesh.
(No, I am not serious).
Re: (Score:1)
In your linked article they claim that most unsafe Rust is written to interface to code written in other languages. When we discussed this here it was argued that most of the remainder was probably unnecessary and being done by people who didn't know how to do it efficiently the Rust way. It's not clear that the number of times when unsafe Rust has to be used can't be whittled down to extreme rarity.
Re: nope (Score:3)
Spectre and Meltdown isn't possible on an 8088. We eliminate a whole class of security exploits this way.
Memory access is the problem (Score:4, Interesting)
"a class of vulnerability that occurs in software written in the C and C++ languages"
This type of thing can happen in any language with direct memory access. Summary makes it sound like it only happens to C programmers.
Re: (Score:3)
Double-free can essentially happen in any language that allows explicit memory management. The alternative is a performance hit because there are additional changes.