[GTALUG] Federal agency warns critical Linux vulnerability being actively exploited

D. Hugh Redelmeier hugh at mimosa.com
Sun Jun 2 11:56:55 EDT 2024 

| From: Ron / BCLUG via talk <talk at gtalug.org>

| News is out about a fairly severe Linux vulnerability.

I hadn't been aware of this.  Thanks for posting this.

The CVE was published at the end of January.
By then, a Kernel fix had been committed: 
f342de4e2f33e0e39165d8639387aa6c19dff660
<https://www.cvedetails.com/cve/CVE-2024-1086/>

Fixed in Fedora in an update dated 2024 Feb 5.
More stable distros and unsupported releases will probably remain 
vulnerable.

<https://ubuntu.com/security/CVE-2024-1086>
<https://security-tracker.debian.org/tracker/CVE-2024-1086>


| This is a new one:
| 
| > Federal agency warns critical Linux vulnerability being actively
| > exploited
| > 
| > Cybersecurity and Infrastructure Security Agency urges affected users
| > to update ASAP.
| 
| > The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating
| > of 7.8 out of a possible 10, allows people who have already gained a
| > foothold inside an affected system to escalate their system privileges. It’s
| > the result of a use-after-free error, a class of vulnerability that occurs
| > in software written in the C and C++ languages when a process continues to
| > access a memory location after it has been freed or deallocated.
| > Use-after-free vulnerabilities can result in remote code or privilege
| > escalation.
| 
| 
| https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/

This Ars Technica article seems like a terrible description.  Too little 
information about fielded fixes, too much undigested description, way 
late.

Surely we don't need to be schooled about what a use-after-free error is.  
Certainly C and C++ are not the only languages that let use-after-free 
happen.  Since it is a kernel bug, it has nothing to do with C++.

The confusing diagram an the end of the article seems to be intended to 
show "pwning tech"'s virtuosity and not to inform the reader.

The bug is in the Linux kernel.  It is tough to exploit (I think that the 
impenetrable diagram in the article is trying to make this point).  But 
exploitation is now available to script kiddies.

If someone car run a program of their choosing on your Linux system 
(think: they can log in),
and your kernel is still vulnerable,
they can escalate their privileges.

More information about the talk mailing list