Ransomware Gangs Now Exploiting Critical Linux Flaw
▼ Summary
– CISA confirmed a high-severity Linux kernel privilege escalation flaw (CVE-2024-1086) is now being exploited in ransomware attacks.
– The vulnerability was first introduced in 2014 and allows attackers with local access to gain root-level control of compromised systems.
– It impacts major Linux distributions including Debian, Ubuntu, Fedora, and Red Hat using kernel versions 3.15 to 6.8-rc1.
– CISA added the flaw to its Known Exploited Vulnerabilities catalog and ordered federal agencies to secure systems by June 20, 2024.
– Recommended mitigations include blocking nf_tables, restricting user namespaces access, or loading the Linux Kernel Runtime Guard module.
A critical security flaw within the Linux kernel is now being actively leveraged by ransomware gangs, according to a recent warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This development elevates the threat level significantly, as the vulnerability allows attackers to gain complete control over affected systems. The issue, identified as CVE-2024-1086, is a use-after-free weakness located in the netfilter: nf_tables component. Although a patch became available in January 2024, the flaw’s origins trace back to a code change made a decade ago in February 2014.
Exploiting this vulnerability successfully grants an attacker with existing local access the ability to escalate their privileges. This can ultimately lead to root-level access on the compromised device, effectively handing over total control. With this level of access, malicious actors can disable security defenses, alter critical system files, deploy malware, move laterally across a network, and exfiltrate sensitive data.
The situation became more urgent in late March 2024 when a security researcher known as ‘Notselwyn’ released a detailed analysis and functional proof-of-concept exploit code on GitHub. This public demonstration showed precisely how to achieve local privilege escalation on Linux kernels ranging from version 5.14 to 6.6. The scope of impacted systems is broad, affecting major distributions like Debian, Ubuntu, Fedora, and Red Hat that utilize kernel versions from 3.15 up to 6.8-rc1.
CISA has officially added this flaw to its Known Exploited Vulnerabilities catalog, confirming its active use in ransomware campaigns. Federal agencies were directed to apply patches and secure their systems by a June 20, 2024, deadline. For organizations where immediate patching is not feasible, several mitigation strategies are recommended. Administrators can blocklist the ‘nf_tables’ module if it is not required for system operations. Another option is to restrict access to user namespaces, which helps reduce the available attack surface. A third, though potentially unstable, mitigation involves loading the Linux Kernel Runtime Guard (LKRG) module.
CISA emphasizes that vulnerabilities of this nature are common entry points for cybercriminals and represent a severe risk to any enterprise. The agency strongly advises applying vendor-provided patches promptly or discontinuing the use of the product if no mitigation is available.
(Source: Bleeping Computer)
