Notice of Linux Kernel Privilege Escalation Vulnerability (CVE-2024-1086)
Description
|
Type |
CVE-ID |
Severity |
Discovered |
|---|---|---|---|
|
Local privilege escalation |
Critical |
2024-01-31 |
Impact
A vulnerability was found in the netfilter: nf_tables component in Linux kernels 3.15 to 6.8. This vulnerability can be exploited by a local attacker to gain root access. The nft_verdict_init() function allows positive values to be used as a drop error within the hook verdict. When NF_DROP is issued with a drop error similar to NF_ACCEPT, the nf_hook_slow() function can cause a double free vulnerability.
Although this vulnerability can be used for local privilege escalation, attackers may find it challenging to exploit as it requires initial access to a node.
Identification Method
- Nodes with a kernel version earlier than 3.15 that run CentOS 7.6 or Huawei Cloud EulerOS 1.1 are not affected by this vulnerability.
- If EulerOS 2.9, Huawei Cloud EulerOS 2.0, Ubuntu 22.04, or EulerOS 2.10 is used, you can run the following command to check the kernel version:
uname -a
If the kernel version falls between 3.15 and 6.8, the system is affected by this vulnerability.
Mitigation
Configure seccomp for containerized workloads. The following shows an example:
Related teams and CCE have fixed the vulnerability in EulerOS 2.9, Huawei Cloud EulerOS 2.0, Ubuntu 22.04, and EulerOS 2.10. Pay attention to OS Image Version Release Notes.
Once an OS image with the vulnerability fixed is released, new clusters and nodes will have the vulnerability fixed by default. To fix the vulnerability on existing nodes, you can simply reset them. If the cluster version has reached EOS, you need to upgrade the version first.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot
