- CVE-2024-1086, a Linux kernel flaw, is now exploited in active ransomware campaigns
- The bug allows local privilege escalation and affects major distributions such as Ubuntu and Red Hat.
- CISA urges patching or mitigation, warning of significant risk to federal and enterprise systems
The US government warns that a Linux flaw introduced more than a decade ago (and patched more than a year ago) is being actively used in ransomware attacks.
In February 2014, a vulnerability was introduced into the Linux kernel via a commit. The bug was first revealed in late January 2024 and was described as a “use-after-free weakness in the netfilter kernel component: nf_tables.” It was fixed later that month and assigned the tag CVE-2024-1086. Its severity score is 7.8/10 (high) and can be exploited to achieve local privilege escalation.
A few months after the patch was released, security researchers published proof-of-concept (PoC) exploit code, demonstrating how to achieve local privilege escalation, and reporting that the bug affects most major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat.
KEV Updates
The US Cybersecurity and Infrastructure Security Agency (CISA), a government agency responsible for protecting the country’s critical infrastructure against physical and cyber threats, added the bug to its catalog of Known Exploited Vulnerabilities (KEV) in May 2024 and gave Federal Civil Executive Branch (FCEB) agencies until June 20, 2024 to patch or stop using the vulnerable software entirely.
When CISA adds a bug to KEV, it means it found compelling evidence that the bug is being actively used in the wild.
Now, CISA has updated its KEV entry for the bug, saying that it is now known to be used in ransomware campaigns. Unfortunately, so far it has not said which threat actor was using it or who their targets were.
In any case, if you haven’t already, be sure to patch your Linux distributions, or at least lock ‘nf_tables’, restrict access to user namespaces, or load the Linux Kernel Runtime Guard (LKRG) module, as these are known mitigations. While mitigations could work, they could also destabilize the system, so patching is still the best advice.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. “Apply mitigations according to the supplier’s instructions or discontinue use of the product if mitigations are not available.”
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
