Federal agency warns critical Linux vulnerability being actively exploited
News is out about a fairly severe Linux vulnerability. This is a new one:
Federal agency warns critical Linux vulnerability being actively exploited
Cybersecurity and Infrastructure Security Agency urges affected users to update ASAP.
The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating of 7.8 out of a possible 10, allows people who have already gained a foothold inside an affected system to escalate their system privileges. It’s the result of a use-after-free error, a class of vulnerability that occurs in software written in the C and C++ languages when a process continues to access a memory location after it has been freed or deallocated. Use-after-free vulnerabilities can result in remote code or privilege escalation.
https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux...
| From: Ron / BCLUG via talk <talk@gtalug.org> | News is out about a fairly severe Linux vulnerability. I hadn't been aware of this. Thanks for posting this. The CVE was published at the end of January. By then, a Kernel fix had been committed: f342de4e2f33e0e39165d8639387aa6c19dff660 <https://www.cvedetails.com/cve/CVE-2024-1086/> Fixed in Fedora in an update dated 2024 Feb 5. More stable distros and unsupported releases will probably remain vulnerable. <https://ubuntu.com/security/CVE-2024-1086> <https://security-tracker.debian.org/tracker/CVE-2024-1086> | This is a new one: | | > Federal agency warns critical Linux vulnerability being actively | > exploited | > | > Cybersecurity and Infrastructure Security Agency urges affected users | > to update ASAP. | | > The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating | > of 7.8 out of a possible 10, allows people who have already gained a | > foothold inside an affected system to escalate their system privileges. It’s | > the result of a use-after-free error, a class of vulnerability that occurs | > in software written in the C and C++ languages when a process continues to | > access a memory location after it has been freed or deallocated. | > Use-after-free vulnerabilities can result in remote code or privilege | > escalation. | | | https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux... This Ars Technica article seems like a terrible description. Too little information about fielded fixes, too much undigested description, way late. Surely we don't need to be schooled about what a use-after-free error is. Certainly C and C++ are not the only languages that let use-after-free happen. Since it is a kernel bug, it has nothing to do with C++. The confusing diagram an the end of the article seems to be intended to show "pwning tech"'s virtuosity and not to inform the reader. The bug is in the Linux kernel. It is tough to exploit (I think that the impenetrable diagram in the article is trying to make this point). But exploitation is now available to script kiddies. If someone car run a program of their choosing on your Linux system (think: they can log in), and your kernel is still vulnerable, they can escalate their privileges.
On Sun, Jun 02, 2024 at 11:56:55AM -0400, D. Hugh Redelmeier via talk wrote:
| From: Ron / BCLUG via talk <talk@gtalug.org>
| News is out about a fairly severe Linux vulnerability.
I hadn't been aware of this. Thanks for posting this.
The CVE was published at the end of January. By then, a Kernel fix had been committed: f342de4e2f33e0e39165d8639387aa6c19dff660 <https://www.cvedetails.com/cve/CVE-2024-1086/>
Fixed in Fedora in an update dated 2024 Feb 5.
Debian also issued a fix in February for those who might be wondering.
Actually, something noted in the article brings up a question. Owning that I am basing this on actual Linux users I know personally..very few smiles, I wonder this. If the problem was patched in January, does not Linux update on a regular enough basis for the patch to get incorporated for most users? Karen On Sun, 2 Jun 2024, D. Hugh Redelmeier via talk wrote:
| From: Ron / BCLUG via talk <talk@gtalug.org>
| News is out about a fairly severe Linux vulnerability.
I hadn't been aware of this. Thanks for posting this.
The CVE was published at the end of January. By then, a Kernel fix had been committed: f342de4e2f33e0e39165d8639387aa6c19dff660 <https://www.cvedetails.com/cve/CVE-2024-1086/>
Fixed in Fedora in an update dated 2024 Feb 5. More stable distros and unsupported releases will probably remain vulnerable.
<https://ubuntu.com/security/CVE-2024-1086> <https://security-tracker.debian.org/tracker/CVE-2024-1086>
| This is a new one: | | > Federal agency warns critical Linux vulnerability being actively | > exploited | > | > Cybersecurity and Infrastructure Security Agency urges affected users | > to update ASAP. | | > The vulnerability, tracked as CVE-2024-1086 and carrying a severity rating | > of 7.8 out of a possible 10, allows people who have already gained a | > foothold inside an affected system to escalate their system privileges. It’s | > the result of a use-after-free error, a class of vulnerability that occurs | > in software written in the C and C++ languages when a process continues to | > access a memory location after it has been freed or deallocated. | > Use-after-free vulnerabilities can result in remote code or privilege | > escalation. | | | https://arstechnica.com/security/2024/05/federal-agency-warns-critical-linux...
This Ars Technica article seems like a terrible description. Too little information about fielded fixes, too much undigested description, way late.
Surely we don't need to be schooled about what a use-after-free error is. Certainly C and C++ are not the only languages that let use-after-free happen. Since it is a kernel bug, it has nothing to do with C++.
The confusing diagram an the end of the article seems to be intended to show "pwning tech"'s virtuosity and not to inform the reader.
The bug is in the Linux kernel. It is tough to exploit (I think that the impenetrable diagram in the article is trying to make this point). But exploitation is now available to script kiddies.
If someone car run a program of their choosing on your Linux system (think: they can log in), and your kernel is still vulnerable, they can escalate their privileges.
Lot of people are slow to apply updates. Once you fall off the wagon, it starts to get harder to get back on. I could give examples but that could be making those systems targets Fedora, for example, only provides updates for a year and a bit. It produces new releases every six months. It isn't hard to put something off for a year (I do it all the time). Oops. RHEL, SuSE, and Ubuntu sell their commercial versions with the promise that updates will be provided for five or more years. | From: Karen Lewellen via talk <talk@gtalug.org> | If the problem was patched in January, does not Linux update on a regular | enough basis for the patch to get incorporated for most users?
On Sun, 2 Jun 2024 at 16:17, D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
RHEL, SuSE, and Ubuntu sell their commercial versions with the promise that updates will be provided for five or more years.
Ubuntu Long Term Support (LTS) releases promise 10 years of security updates with an Ubuntu Pro subscription, which is free for personal use on a limited number of systems. -- Scott
D. Hugh Redelmeier via talk said on Sun, 2 Jun 2024 11:56:55 -0400 (EDT)
| From: Ron / BCLUG via talk <talk@gtalug.org>
| News is out about a fairly severe Linux vulnerability.
I hadn't been aware of this. Thanks for posting this.
I hadn't either, so I: 1) Removed the nftables package from my computer 2) Checked my kernel version (6.6.29_1) and confirmed that it's one of the versions that has the fix backported. Like Ron said, thanks! SteveT Steve Litt Autumn 2023 featured book: Rapid Learning for the 21st Century http://www.troubleshooters.com/rl21
Maybe i missed it, but can somebody post the "for dummies" command to tell if one has the fix installed? I realize a different command for each package manager, at least: Deb, pacman, rpm, gentoo, others? <pre>--Carey</pre>
| From: CAREY SCHUG via talk <talk@gtalug.org> | Maybe i missed it, but can somebody post the "for dummies" command to | tell if one has the fix installed? | | I realize a different command for each package manager, at least: Deb, pacman, rpm, gentoo, others? DON'T PANIC. For a Bad Guy to exploit this bug, they need to be able to run code of their choosing on your machine. I bet you don't let anyone dangerous log in to your machine. And I bet you don't run random shell scripts from the internet. The bug is pretty old so you are unlikely to have a kernel that predates the bug's introduction. So you need to have a kernel new enough to have the fix. Each distro probably released its own announcement some time after late January 2024. The bug's name is CVE-2024-1086. Googling that and your disto's name should get you to any announcement. Because distros don't want to let the cat out of the bag prematurely, they may be coy in the description of the update. The Good Guys want to release fixes before alerting Bad Guys of a vulnerability.
question still as a dummy. I try not to open emails from anybody I don't know, hovering over the "from" if the subject is unexpected. But sometimes the mail program jumps as I click, and I open something I did not intend to open. Or a malfeasor might have intercepted an email I sent and crafted a reply from the person I sent it to.....or even have compromised their machine and added code to every email from them. Could a script in an email exploit this? I am not panicing, but I am concerned. <pre>--Carey</pre>
On 06/04/2024 7:33 AM CDT D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: CAREY SCHUG via talk <talk@gtalug.org>
| Maybe i missed it, but can somebody post the "for dummies" command to | tell if one has the fix installed? | | I realize a different command for each package manager, at least: Deb, pacman, rpm, gentoo, others?
DON'T PANIC. For a Bad Guy to exploit this bug, they need to be able to run code of their choosing on your machine. I bet you don't let anyone dangerous log in to your machine. And I bet you don't run random shell scripts from the internet.
The bug is pretty old so you are unlikely to have a kernel that predates the bug's introduction. So you need to have a kernel new enough to have the fix.
Each distro probably released its own announcement some time after late January 2024. The bug's name is CVE-2024-1086. Googling that and your disto's name should get you to any announcement.
Because distros don't want to let the cat out of the bag prematurely, they may be coy in the description of the update. The Good Guys want to release fixes before alerting Bad Guys of a vulnerability.
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
| From: CAREY SCHUG via talk <talk@gtalug.org> I changed the Subject. I hope you don't mind. | question still as a dummy. Qustions are welcome. | I try not to open emails from anybody I don't know, hovering over the | "from" if the subject is unexpected. All this stuff depends on you "Mail User Agent" -- the program you use to read email. I use alpine(1), a CLI MUA. This is out of the 1990s, but it just doesn't automatically do things that cause problems. So I don't know the joys and sorrows of a GUI MUA first hand. | But sometimes the mail program jumps as I click, and I open something I | did not intend to open. What do you mean by "open"? A URL sends your web browser to some place selected by the email composer. Is that dangerous. Potentially. How safe is your browser? The URL can send a payload of, for example, your email address or the particular message that you are responding to. Sometimes email contains something like a .jpg or a spreadsheet. - Pictures have been known to exploit bugs (rarely). Usually those don't target Linux. - MS Office documents can definitely contain malware. Usually those don't target Open Office. | Or a malfeasor might have intercepted an email | I sent and crafted a reply from the person I sent it to.....or even have | compromised their machine and added code to every email from them. Not likely unless you are a high-value target. | Could a script in an email exploit this? "this" means "this CVE", right? Unlikely. | I am not panicing, but I am concerned. It's hard to know what to be concerned about. I think I'm fairly knowledgeable about this stuff but I get surprised some times. To my knowledge, I have not been attacked successfully on my Linux systems (over 25 years). Of course I might not know about very successful attacks. I get attacked at quite some frequency by Bad Guys trying to log into my systems via SSH. Also: I get SPAM, just like everyone else.
(n.b. I install updates pretty often, roughly every 25-50 days, as I get notices about snaps, and sometimes just closing and opening a program fails to update the snap, and the most common is my browser, of which I have 5-6 windows open, so if I have to close them all, I might as well close everything and check all updates, and reboot just for good measure) see, they hide info from dummies like me. I found on ubuntu website the fix is PACKAGE RELEASE STATUS linux Launchpad, Ubuntu, Debian bionic Released (4.15.0-223.235) Available with Ubuntu Pro or Ubuntu Pro (Infra-only) focal Released (5.4.0-174.193) jammy Released (5.15.0-101.111) mantic Released (6.5.0-26.26) noble Pending (6.8.0-7.7) trusty Not vulnerable (3.11.0-12.19) upstream Released (6.8~rc2) xenial Released (4.4.0-252.286) Available with Ubuntu Pro or Ubuntu Pro (Infra-only) Patches: Introduced by e0abdadcc6e113ed2e22c85b350074487095875b Fixed by f342de4e2f33e0e39165d8639387aa6c19dff660 what am I on?
lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.4 LTS Release: 22.04 Codename: jammy
how to I reconcile that with: "jammy Released (5.15.0-101.111)" those seem like completely different number sequences (it is long enough ago to have gone from 5.15 to 6.5, is it?) also found this: $ sudo apt list linux-headers-$(uname -r) [sudo] password for careyschug: Listing... Done linux-headers-6.5.0-35-generic/jammy-updates,jammy-security,now 6.5.0-35.35~22.04.1 amd64 [installed,automatic] also seems like a different sequence <pre>--Carey</pre>
On 06/04/2024 7:33 AM CDT D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: CAREY SCHUG via talk <talk@gtalug.org>
| Maybe i missed it, but can somebody post the "for dummies" command to | tell if one has the fix installed? | | I realize a different command for each package manager, at least: Deb, pacman, rpm, gentoo, others?
DON'T PANIC. For a Bad Guy to exploit this bug, they need to be able to run code of their choosing on your machine. I bet you don't let anyone dangerous log in to your machine. And I bet you don't run random shell scripts from the internet.
The bug is pretty old so you are unlikely to have a kernel that predates the bug's introduction. So you need to have a kernel new enough to have the fix.
Each distro probably released its own announcement some time after late January 2024. The bug's name is CVE-2024-1086. Googling that and your disto's name should get you to any announcement.
Because distros don't want to let the cat out of the bag prematurely, they may be coy in the description of the update. The Good Guys want to release fixes before alerting Bad Guys of a vulnerability.
--- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
| From: CAREY SCHUG via talk <talk@gtalug.org> | (n.b. I install updates pretty often, roughly every 25-50 days, as I get | notices about snaps, and sometimes just closing and opening a program | fails to update the snap, and the most common is my browser, of which I | have 5-6 windows open, so if I have to close them all, I might as well | close everything and check all updates, and reboot just for good | measure) I tend to do updates once a week, but not like clockwork. The distro I use, Fedora, has a firehose of updates. You can quit Firefox and then start it up with the same Windows. You lose sessions so you may have to log into web sites again. | see, they hide info from dummies like me. My Sunday message included the link <https://ubuntu.com/security/CVE-2024-1086> | I found on ubuntu website the fix is | | PACKAGE RELEASE STATUS | linux | Launchpad, Ubuntu, Debian bionic Released (4.15.0-223.235) | Available with Ubuntu Pro or Ubuntu Pro (Infra-only) | focal Released (5.4.0-174.193) | jammy Released (5.15.0-101.111) | mantic Released (6.5.0-26.26) | noble Pending (6.8.0-7.7) | trusty Not vulnerable (3.11.0-12.19) | upstream Released (6.8~rc2) | xenial Released (4.4.0-252.286) | Available with Ubuntu Pro or Ubuntu Pro (Infra-only) I don't like this advertising. I think that it is misleading since the update is available without Ubuntu Pro. (I haven't checked, but it sure better be.) | Patches: | Introduced by | e0abdadcc6e113ed2e22c85b350074487095875b | Fixed by f342de4e2f33e0e39165d8639387aa6c19dff660 | | what am I on? | | >lsb_release -a | No LSB modules are available. | Distributor ID: Ubuntu | Description: Ubuntu 22.04.4 LTS | Release: 22.04 | Codename: jammy | | | how to I reconcile that with: | | "jammy Released (5.15.0-101.111)" | | those seem like completely different number sequences (it is long enough ago to have gone from 5.15 to 6.5, is it?) The patch is to the kernel. So you care about the kernel version. Just check what kernel package you are running. $ uname -r or $ cat /proc/version will tell you. Then match it with the numbers in the advisory notice. (Sorry: in a hurry so I didn't check exactly what you said about versions.)
sorry, does not seem to help. :~/cts$ uname -r 6.5.0-35-generic sounds closer to a mantic number than a jammy one, but other query said I was jammy. is it really so long ago that jammy has advanced from 5.15.0-101.111 to 6.5.0-035-generic which is a different format anyway. if I can't find a query that gives me a number in the format 5.15.x-yyyy I will not think I have found the correct number I presume I need to query apt to ask for a specific fix number? <pre>--Carey</pre>
On 06/05/2024 9:49 AM CDT D. Hugh Redelmeier via talk <talk@gtalug.org> wrote:
| From: CAREY SCHUG via talk <talk@gtalug.org>
| (n.b. I install updates pretty often, roughly every 25-50 days, as I get | notices about snaps, and sometimes just closing and opening a program | fails to update the snap, and the most common is my browser, of which I | have 5-6 windows open, so if I have to close them all, I might as well | close everything and check all updates, and reboot just for good | measure)
I tend to do updates once a week, but not like clockwork. The distro I use, Fedora, has a firehose of updates.
You can quit Firefox and then start it up with the same Windows. You lose sessions so you may have to log into web sites again.
| see, they hide info from dummies like me.
My Sunday message included the link <https://ubuntu.com/security/CVE-2024-1086>
| I found on ubuntu website the fix is | | PACKAGE RELEASE STATUS | linux | Launchpad, Ubuntu, Debian bionic Released (4.15.0-223.235) | Available with Ubuntu Pro or Ubuntu Pro (Infra-only) | focal Released (5.4.0-174.193) | jammy Released (5.15.0-101.111) | mantic Released (6.5.0-26.26) | noble Pending (6.8.0-7.7) | trusty Not vulnerable (3.11.0-12.19) | upstream Released (6.8~rc2) | xenial Released (4.4.0-252.286) | Available with Ubuntu Pro or Ubuntu Pro (Infra-only)
I don't like this advertising. I think that it is misleading since the update is available without Ubuntu Pro. (I haven't checked, but it sure better be.)
| Patches: | Introduced by | e0abdadcc6e113ed2e22c85b350074487095875b | Fixed by f342de4e2f33e0e39165d8639387aa6c19dff660 | | what am I on? | | >lsb_release -a | No LSB modules are available. | Distributor ID: Ubuntu | Description: Ubuntu 22.04.4 LTS | Release: 22.04 | Codename: jammy | | | how to I reconcile that with: | | "jammy Released (5.15.0-101.111)" | | those seem like completely different number sequences (it is long enough ago to have gone from 5.15 to 6.5, is it?)
The patch is to the kernel. So you care about the kernel version. Just check what kernel package you are running. $ uname -r or $ cat /proc/version will tell you.
Then match it with the numbers in the advisory notice. (Sorry: in a hurry so I didn't check exactly what you said about versions.) --- Post to this mailing list talk@gtalug.org Unsubscribe from this mailing list https://gtalug.org/mailman/listinfo/talk
On Wed, 5 Jun 2024 10:49:13 -0400 (EDT) "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote:
I tend to do updates once a week, but not like clockwork. The distro I use, Fedora, has a firehose of updates.
Hugh, I have a cron job that updates my machine every week. I am okay as long as I re-install every year or so. Does this protect me from the bug? -- Howard Gibson hgibson@eol.ca http://home.eol.ca/~hgibson
| From: Howard Gibson via talk <talk@gtalug.org> | On Wed, 5 Jun 2024 10:49:13 -0400 (EDT) | "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote: | | > I tend to do updates once a week, but not like clockwork. The distro I | > use, Fedora, has a firehose of updates. | | Hugh, | | I have a cron job that updates my machine every week. I am okay as | long as I re-install every year or so. Does this protect me from the | bug? I assume that you reboot after updates. The fix is to the kernel and updates themselves don't cause the new kernel to run. That takes a reboot. (There are mechanisms to update a kernel while running but I think that they are not normal except in some server environments.) There is, of course, a gap of up to a week after your distro releases an update and you applying that update. So that's a window of vulnerability. Of course you were vulnerable before the release too. Fedora released an update for this particular bug early in February. I think that big distros with professional staff would have released updates at about that time. debian too, I imagine. Note: Fedora does not release a new live/installation .iso when a security bug is fixed. Summary: - the bug isn't important unless you run random stranger's code on your computer. If you do, the bug would let them escalate their priviledge. - I imagine the only vulnerable systems at the time of the Ars Technica article were those that were not being regularly updated. It came out over three months after fixes were released. - you can look up what your distro says about CVE-2024-1086 - I fear many containerised systems don't get timely updates. It doesn't seem to be part of that culture.
Summary:
- the bug isn't important unless you run random stranger's code on your computer. If you do, the bug would let them escalate their priviledge.
So - beware of this statement. Everytime you access the internet, you run a random stranger's code on your computer. Yes javascript is generally sandboxed, _but_ a lot of active exploitation is chaining a number of small bugs together to achieve the needed effect. There are some great examples on the Google security blog. Now - having been a distro representative in the past on distros@ - the distros are pretty good at patching these issues, especially when there are serious security issues that led to an embargo. So as long as you regularly do a "dnf update" or whatever the apt equivalent or your distro's equivalent is - you should be fine. Don't forget to reboot to allow the new kernel to actually be running.
- I imagine the only vulnerable systems at the time of the Ars Technica article were those that were not being regularly updated. It came out over three months after fixes were released.
- you can look up what your distro says about CVE-2024-1086
I would highly discourage this piecemeal update of CVEs. For most users, you do not care what CVE was fixed, but that a CVE was fixed. Keep updating your distro on a regular basis (I tend to do it daily, since Fedora has a lot of churn) and as per theory you should be fine. I cannot think of a workload on a laptop/personal computer which cannot handle a reboot. Dhaval
On Wed, Jun 05, 2024 at 09:42:11PM -0400, Howard Gibson via talk wrote:
On Wed, 5 Jun 2024 10:49:13 -0400 (EDT) "D. Hugh Redelmeier via talk" <talk@gtalug.org> wrote:
I tend to do updates once a week, but not like clockwork. The distro I use, Fedora, has a firehose of updates.
Hugh,
I have a cron job that updates my machine every week. I am okay as long as I re-install every year or so. Does this protect me from the bug?
Debian has mailing lists that announce when new packages are available (mostly security fixes, but some are just updates like when timezone information changes). I follow those and update accordingly when the fix is available. A cron job once a week could leave you vulnerable for a whole week. Say you run your cron job every Monday at noon. If that cron job finishes at 12:05 and at 12:10 a security fix becomes available, you will have run a week before the next cron run replaces it. joeDoe
| From: Steve Litt via talk <talk@gtalug.org> | 1) Removed the nftables package from my computer As I understand it, the bug involves the kernel nf_tables features. That is partly implemented by the kernel module kernel/net/netfilter/nf_tables.ko.xz The userland package nftables isn't involved. Removing it won't do any good. In general, a local priviledge escalation bug doesn't depend on userland code (unless the userland code is setuid). More clearly: a particular exploitation may use userland code, but it could always bring its own. | Like Ron said, thanks! You mean: Like Hugh said, thanks Ron!
participants (9)
-
CAREY SCHUG -
D. Hugh Redelmeier -
Dhaval Giani -
Howard Gibson -
joeDoe -
Karen Lewellen -
Ron / BCLUG -
Scott Allen -
Steve Litt