- CVE-2024-1086, a Linux kernel flaw, is now being exploited in active ransomware campaigns
- The flaw enables escalation of local privileges and affects major distributions such as Ubuntu and Red Hat
- CISA urges patching or mitigation, warns of significant risk to federal and enterprise systems
The US government is warning that a Linux bug introduced more than a decade ago – and patched more than a year ago – is being actively used in ransomware attacks.
In February 2014, a vulnerability was introduced into the Linux kernel via a commit. The flaw was first disclosed in late January 2024 and described as a “use-after-free weakness in the netfilter:nf_tables core component”. It was patched later that month and given a label CVE-2024-1086. Its severity is 7.8/10 (high) and can be exploited to achieve local privilege escalation.
A few months after the patch was released, security researchers published proof-of-concept (PoC) exploit code demonstrating how to achieve local privilege escalation and reported that the flaw affects most major Linux distros, including Debian, Ubuntu, Fedora, and Red Hat.
Updates to KEV
The US Cybersecurity and Infrastructure Security Agency (CISA), a government agency responsible for protecting the nation’s critical infrastructure from physical and cyber threats, added the flaw to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and gave the Federal Civilian Executive Branch (FCEB) agencies until June 20 or stop the vulnerable software until 2024.
When CISA adds a bug to KEV, it means it found compelling evidence that the bug is being actively used in the wild.
Now CISA has updated its KEV entry for the bug, saying it is now known to be used in ransomware campaigns. Unfortunately, it didn’t say which threat actor used it or who its target was so far.
In any case, if you haven’t already – be sure to patch your Linux distros, or at least block ‘nf_tables’, restrict access to user namespaces, or load the Linux Kernel Runtime Guard (LKRG) module, as these are known workarounds. While the restrictions might work, they can also destabilize the system, so patching is still the best advice.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. “Apply restraints according to the supplier’s instructions, or stop using the product if restraints are not available.”
Via Bleeping Computer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
