Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of Linux Kernel Privilege Escalation Vulnerability (CVE-2024-1086)
Updated on 2024-09-30 GMT+08:00

Notice of Linux Kernel Privilege Escalation Vulnerability (CVE-2024-1086)

Description

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Local privilege escalation

CVE-2024-1086

Critical

2024-01-31

Impact

A vulnerability was found in the netfilter: nf_tables component in Linux kernels 3.15 to 6.8. This vulnerability can be exploited by a local attacker to gain root access. The nft_verdict_init() function allows positive values to be used as a drop error within the hook verdict. When NF_DROP is issued with a drop error similar to NF_ACCEPT, the nf_hook_slow() function can cause a double free vulnerability.

Although this vulnerability can be used for local privilege escalation, attackers may find it challenging to exploit as it requires initial access to a node.

Identification Method

  • Nodes with a kernel version earlier than 3.15 that run CentOS 7.6 or Huawei Cloud EulerOS 1.1 are not affected by this vulnerability.
  • If EulerOS 2.9, Huawei Cloud EulerOS 2.0, Ubuntu 22.04, or EulerOS 2.10 is used, you can run the following command to check the kernel version:
    uname -a

    If the kernel version falls between 3.15 and 6.8, the system is affected by this vulnerability.

Mitigation

Configure seccomp for containerized workloads. The following shows an example:

Related teams and CCE have fixed the vulnerability in EulerOS 2.9, Huawei Cloud EulerOS 2.0, Ubuntu 22.04, and EulerOS 2.10. Pay attention to OS Image Version Release Notes.

Once an OS image with the vulnerability fixed is released, new clusters and nodes will have the vulnerability fixed by default. To fix the vulnerability on existing nodes, you can simply reset them. If the cluster version has reached EOS, you need to upgrade the version first.