Linux Kernel Initiative Identifies Vulnerability CVE-2024-26809
/ 3 min read
Quick take - In March 2024, a research initiative was launched to monitor vulnerabilities in Linux kernel subsystems, revealing an exploitable bug (CVE-2024-26809) in the netfilter subsystem that allowed for local privilege escalation and container escape, highlighting ongoing security concerns despite improvements in kernel security.
Fast Facts
- In March 2024, a research initiative was launched to monitor Linux kernel subsystems for vulnerabilities, focusing on local privilege escalation (LPE) and container escape capabilities.
- A significant vulnerability, CVE-2024-26809, was discovered in the netfilter subsystem, linked to a double-free issue that allowed for a universal exploit across various kernel builds.
- The exploit did not require recompilation or complex techniques like return-oriented programming (ROP), making it particularly concerning.
- The research demonstrated how a 1-day vulnerability could be exploited to achieve 0-day-like capabilities, utilizing methods to bypass security measures and manipulate kernel memory.
- Despite advancements in kernel security, the findings underscore ongoing vulnerabilities and the existence of an open-source patch gap that threatens the integrity of kernel subsystems.
Monitoring Vulnerabilities in Linux Kernel Subsystems
In late March 2024, a significant initiative was launched to monitor commits in Linux kernel subsystems known for their vulnerability to exploitable bugs. The research focused on assessing the feasibility of maintaining local privilege escalation (LPE) and container escape capabilities. Methods such as patch-gapping and exploiting 1-day vulnerabilities were central to this investigation.
Key Discoveries
A key discovery from this research was an exploitable bug identified as CVE-2024-26809 in the netfilter subsystem. This vulnerability was initially discovered by a researcher known as lonial con. The issue stemmed from a double-free problem linked to a specific function being invoked twice with certain arguments. This flaw enabled the creation of a universal exploit that could function across various kernel builds. The exploit did not require recompilation with different symbols or return-oriented programming (ROP) gadgets.
The netfilter subsystem is a crucial package filtering mechanism used by tools like iptables and Firewalld. It plays a vital role in the Linux kernel’s functionality. The kernel itself is a core component of the operating system, managing user isolation, permissions, networking, filesystem access, memory management, and task scheduling.
Exploitation Process
Within the kernel, interactions that modify objects or states are organized into transactions. These transactions involve control plane, commit path, and abort path phases. The vulnerability at the center of CVE-2024-26809 was introduced by a commit that allowed for double-free scenarios under specific conditions. The root cause was traced to a flag in the private data of a pipapo, indicating changes during the control-plane pass of a transaction. The subsequent fix involved altering the code to ensure that elements were only deleted from the clone, preventing the double-free occurrence.
The exploitation process detailed in the research showed how a 1-day vulnerability could be leveraged. This process achieved 0-day-like LPE and container escape capabilities over approximately two months. Techniques used in the exploit included bypassing double-free detection and leaking kernel address space layout randomization (KASLR). The exploit also involved hijacking control flow while circumventing context switches in Read-Copy Update (RCU) critical sections. Additionally, a method was devised to brute-force the physical kernel base address by searching for aligned addresses, allowing the exploit to overwrite kernel memory with controlled values, facilitating further exploitation.
Conclusion
The research culminated in a disclosure timeline highlighting key dates related to the discovery and exploitation of the vulnerability, including the public patch release and the development of the exploits. Despite ongoing improvements in kernel security, the findings highlight a persistent prevalence of exploitable bugs. The open-source patch gap continues to allow for the maintenance of exploit capabilities, raising concerns about the robustness of security measures in place within kernel subsystems.
Original Source: Read the Full Article Here
