CISA confirmed on Thursday that a high-severity privilege escalation flaw in the Linux kernel is now being exploited in ransomware attacks.
While the vulnerability (tracked as CVE-2024-1086) was disclosed on January 31, 2024, as a use-after-free weakness in the netfilter: nf_tables kernel component and was fixed via a commit submitted in January 2024, it was first introduced by a decade-old commit in February 2014.
Successful exploitation enables attackers with local access to escalate privileges on the target system, potentially resulting in root-level access to compromised devices.
As Immersive Labs explains, potential impact includes system takeover once root access is gained (allowing attackers to disable defenses, modify files, or install malware), lateral movement through the network, and data theft.
In late March 2024, a security researcher using the 'Notselwyn' alias published a detailed write-up and proof-of-concept (PoC) exploit code targeting CVE-2024-1086 on GitHub, showcasing how to achieve local privilege escalation on Linux kernel versions between 5.14 and 6.6.
The flaw impacts many major Linux distributions, including but not limited to Debian, Ubuntu, Fedora, and Red Hat, which use kernel versions from 3.15 to 6.8-rc1
Flagged as exploited in ransomware attacks
In a Thursday update to its catalog of vulnerabilities exploited in the wild, the U.S. cybersecurity agency said the flaw is now known to be used in ransomware campaigns, but didn't provide more information regarding ongoing exploitation attempts.
CISA added this security flaw to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and ordered federal agencies to secure their systems by June 20, 2024.
If patching is not possible, IT admins are advised to apply one of the following mitigations:
... continue reading