Summary: Security researchers have disclosed a critical vulnerability (CVE-2024-26581) in the Linux kernel that allows local authenticated attackers to leak sensitive information, potentially leading to privilege escalation. The flaw affects specific kernel versions and is linked to improper handling of memory during transaction rollbacks in the nftables framework.
Threat Actor: Local authenticated attackers | local authenticated attackers
Victim: Linux kernel systems | Linux kernel systems
Key Point :
- The vulnerability allows attackers to exploit a use-after-free condition in the nftables framework, leading to unauthorized information disclosure.
- Exploitation can potentially escalate privileges to root level, giving attackers full control over affected systems.
- System administrators are advised to update their kernel versions and implement security measures to mitigate risks.
The security researchers have publicly disclosed technical details and proof-of-concept (PoC) exploit code for a CVE-2024-26581 (CVSS 7.8) vulnerability within the Linux kernel. The flaw poses a serious risk, allowing local authenticated attackers to obtain sensitive information from affected systems.
The vulnerability resides within the nft_set_rbtree function, responsible for managing sets in nftables. An attacker can trigger this flaw by sending a specially crafted request, resulting in the unauthorized disclosure of an โend interval elementโ during a transaction. This leaked information could then be exploited for further malicious activities.
Linux kernel versions 6.1.9 and later, 5.15.91 and later, and 5.10.166 and later are confirmed to be susceptible to this vulnerability.
The core issue lies in the nft_rbtree_gc_elem function, which lacks a crucial check on the โsetelementโ referenced by โprevโ. This omission can trigger a use-after-free condition, a scenario where memory that has been deallocated is inadvertently accessed, leading to unpredictable behavior and potential security breaches.
Specifically, the vulnerability occurs during the rollback of a transaction in the nftables framework. When an error is detected, the rollback mechanism (nf_tables_abort) is triggered, leading to the potential double deletion of a set element. This flaw is exacerbated if the attacker manages to insert a set element with the NFTA_SET_ELEM_EXPIRATION and NFTA_SET_ELEM_TIMEOUT flags, followed by another element with the NFT_SET_ELEM_INTERVAL_END flag, before triggering an error condition.
Detailed exploitation steps and a proof-of-concept (PoC) exploit code for CVE-2024-26581 have been publicly released, demonstrating the feasibility of leveraging this vulnerability for information leakage. By chaining this initial exploit with carefully crafted subsequent attacks, an attacker could potentially escalate their privileges to the root level, gaining full control over the affected system.
System administrators are urged to review their kernel versions and apply any available updates or patches. Additionally, monitoring for suspicious activity related to nftables and implementing additional security measures, such as limiting local access and using security modules like SELinux, can help mitigate the risk.
Related Posts: