[GTALUG] Federal agency warns critical Linux vulnerability being actively exploited

Sun Jun 2 15:34:39 EDT 2024

Actually, something noted in the article  brings up a question.
Owning that  I am basing this on actual Linux users I know personally..very 
few smiles, I wonder this.
If the problem was patched in January, does not Linux update on a regular 
enough basis for the patch to get incorporated for most users?
Karen

On Sun, 2 Jun 2024, D. Hugh Redelmeier via talk wrote:

> | From: Ron / BCLUG via talk <talk at gtalug.org>
>
> | News is out about a fairly severe Linux vulnerability.
>
> I hadn't been aware of this.  Thanks for posting this.
>
> The CVE was published at the end of January.
> By then, a Kernel fix had been committed:
> f342de4e2f33e0e39165d8639387aa6c19dff660
> <https://www.cvedetails.com/cve/CVE-2024-1086/>
>
> Fixed in Fedora in an update dated 2024 Feb 5.
> More stable distros and unsupported releases will probably remain
> vulnerable.
>
> <https://ubuntu.com/security/CVE-2024-1086>
> <https://security-tracker.debian.org/tracker/CVE-2024-1086>
>
>
> | This is a new one:
> |
> | > Federal agency warns critical Linux vulnerability being actively
> | > exploited
> | >
> | > Cybersecurity and Infrastructure Security Agency urges affected users
> | > to update ASAP.
> |
> | > The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating
> | > of 7.8 out of a possible 10, allows people who have already gained a
> | > foothold inside an affected system to escalate their system privileges. It’s
> | > the result of a use-after-free error, a class of vulnerability that occurs
> | > in software written in the C and C++ languages when a process continues to
> | > access a memory location after it has been freed or deallocated.
> | > Use-after-free vulnerabilities can result in remote code or privilege
> | > escalation.
> |
> |
> | https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux-vulnerability-being-actively-exploited/
>
> This Ars Technica article seems like a terrible description.  Too little
> information about fielded fixes, too much undigested description, way
> late.
>
> Surely we don't need to be schooled about what a use-after-free error is.
> Certainly C and C++ are not the only languages that let use-after-free
> happen.  Since it is a kernel bug, it has nothing to do with C++.
>
> The confusing diagram an the end of the article seems to be intended to
> show "pwning tech"'s virtuosity and not to inform the reader.
>
> The bug is in the Linux kernel.  It is tough to exploit (I think that the
> impenetrable diagram in the article is trying to make this point).  But
> exploitation is now available to script kiddies.
>
> If someone car run a program of their choosing on your Linux system
> (think: they can log in),
> and your kernel is still vulnerable,
> they can escalate their privileges.