Linux Flaw: CVE-2024-1085 PoC Exploit Exposes Privilege Escalation Risk

A security researcher has published a proof-of-concept (PoC) exploit code targeting a high-severity CVE-2024-1085 vulnerability in the Linux kernel. The vulnerability, residing in the Netfilter subsystem’s nftables component, could allow a local authenticated attacker to gain elevated privileges on affected systems.

The Common Vulnerability Scoring System (CVSS) has assigned a score of 7.8 to this vulnerability, indicating a high severity level. While exploitation requires local authentication, successful exploitation could grant an attacker significant control over the system, posing a serious security risk.

The flaw resides in the nft_setelem_catchall_deactivate() function within the Netfilter subsystem of the Linux kernel. This function, part of the nftables project, is crucial for data packet filtering and provides a robust framework for iptables and other packet filtering mechanisms. The vulnerability is classified as a use-after-free flaw, which arises from improper handling of certain elements during deactivation.

nftables, which aims to modernize and replace legacy packet filtering frameworks, utilizes various components such as tables, sets, chains, and rules to manage data packet filtering. A critical aspect of this framework is the use of genmask flags to track the state of objects across tasks. When an object is deleted, the system uses nft_deactivate_next to update its genmask, and nft_is_active_next to verify active objects, preventing issues like double free.

...
list_for_each_entry(catchall, &set->catchall_list, list) {
		ext = nft_set_elem_ext(set, catchall->elem);
		if (!nft_is_active(net, ext))
			continue;
...

The vulnerability in question stems from the nft_setelem_catchall_deactivate function, which erroneously uses nft_is_active instead of nft_is_active_next to check the state of elements. This oversight can lead to a scenario where an element is freed twice, creating a use-after-free condition.

The researcher demonstrated that exploiting this vulnerability is relatively straightforward:

1. Create a pipapo set A and a catchall set element B within pipapo set A.
2. Delete element B.
3. Delete element B again.

The key to successful exploitation is to send the commands for steps 2 and 3 in quick succession to prevent the element from being fully released before the second deletion.

This vulnerability affects the following Linux kernel versions:

• 6.1.56 and later
• 5.15.134 and later

The technical details and PoC exploit code for CVE-2024-1085 have been made available on GitHub, providing a valuable resource for defenders and attackers alike. The publication of this information underscores the critical need for system administrators and security professionals to promptly address this flaw.

To mitigate this threat, Linux users and system administrators are strongly advised to prioritize the application of the latest patches provided by their respective distribution vendors.