- CVE-2024-1086, a Linux kernel flaw, is now exploited in active ransomware campaigns
- The bug enables local privilege escalation and affects major distros like Ubuntu and Red Hat
- CISA urges patching or mitigation, warning of significant risk to federal and enterprise systems
The US government is warning that a Linux flaw introduced more than a decade ago – and fixed more than a year ago – is being actively used in ransomware attacks.
In February 2014, a vulnerability was introduced into the Linux kernel via a commit. The bug was first disclosed in late January 2024, and described as a “use-after-free weakness in the netfilter: nf_tables kernel component”. It was fixed later that month, and was given a label CVE-2024-1086. Its severity score is 7.8/10 (high) and can be exploited to achieve local privilege escalation.
A few months after the patch was released, security researchers published proof-of-concept (PoC) exploit code, demonstrating how to achieve local privilege escalation, and reporting that the bug affects most major Linux distros, including Debian, Ubuntu, Fedora, and Red Hat.
Updates to KEV
The US Cybersecurity and Infrastructure Security Agency (CISA), a government agency responsible for protecting the nation’s critical infrastructure from physical and cyber threats, added the bug to its Known Exploited Vulnerabilities (KEV) catalog in May 2024 and gave Federal Civilian Executive Branch (FCEB) agencies until June 20, 2024, to patch up or stop using the vulnerable software entirely.
When CISA adds a bug to KEV, it means that it found compelling evidence that the bug is being actively used in the wild.
Now, CISA has updated its KEV entry for the bug, saying that it is now known to be used in ransomware campaigns. Unfortunately, it didn’t say which threat actor was using it, or who its targets were, so far.
In any case, if you haven’t already – make sure to patch your Linux distros, or at least block ‘nf_tables’, restrict access to user namespaces, or load the Linux Kernel Runtime Guard (LKRG) module, since these are known mitigations. While the mitigations might work, they might also destabilize the system, so patching still remains the best advice.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA said. “Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.”
Via BleepingComputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
