The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that a high-severity privilege escalation vulnerability in the Linux kernel, identified as CVE-2024-1086, is now being actively exploited in ransomware campaigns. This development underscores the immediate need for organizations to address the flaw across affected Linux environments.
The flaw, CVE-2024-1086, is a use-after-free vulnerability within the netfilter: nf_tables kernel component. Successful exploitation grants local attackers the ability to escalate privileges, potentially achieving root-level access on compromised systems. This can lead to system takeover, disabling of defenses, modification of files, installation of malware, lateral movement within networks, and data theft.
The vulnerability was initially introduced in the Linux kernel via a commit in February 2014 and was subsequently patched with a fix submitted in January 2024. Despite its disclosure on January 31, 2024, evidence of active exploitation in ransomware attacks emerged later.
In late March 2024, a security researcher operating under the alias ‘Notselwyn’ published a proof-of-concept (PoC) exploit code on GitHub. This PoC demonstrated local privilege escalation on Linux kernel versions ranging from 5.14 to 6.6, highlighting the practical exploitability of the flaw. The vulnerability affects a broad spectrum of major Linux distributions, including Debian, Ubuntu, Fedora, and Red Hat, across kernel versions from 3.15 to 6.8-rc1.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2024-1086 to its Known Exploited Vulnerabilities (KEV) Catalog on May 30, 2024. This addition mandates federal civilian executive branch agencies to apply necessary updates by June 20, 2024. For organizations unable to patch immediately, CISA suggests several mitigations: blocklisting nf_tables if it is not actively used, restricting access to user namespaces to reduce the attack surface, or loading the Linux Kernel Runtime Guard (LKRG) module, although the latter may introduce system instability.
CISA emphasized that “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” Organizations are advised to apply vendor-provided mitigations or discontinue the use of affected products if patches are unavailable. (Source)