
Security researchers have unveiled the technical details and a proof-of-concept (PoC) exploit for a high-severity vulnerability (CVE-2024-36972, CVSS 7.5) in the Linux kernel’s af_unix component. This double free vulnerability exposes systems to risks such as kernel crashes, privilege escalation, and container escape.
The af_unix component facilitates Unix domain sockets, enabling inter-process communication within the same machine. This essential functionality is used extensively across various applications and services. However, the discovered vulnerability exposes a critical weakness that could be exploited by malicious actors.
The vulnerability resides in the unix_gc() function, which is responsible for garbage-collecting inflight sockets. Under specific conditions, if a socket has MSG_OOB messages in unix_sk(sk)->oob_skb, the garbage collection process may drop the reference locklessly. This creates a race condition when the peer socket sends new MSG_OOB messages and calls queue_oob(), resulting in an update to unix_sk(sk)->oob_skb. This concurrent operation can lead to double free memory corruption.
The PoC exploit demonstrates the following steps to exploit the vulnerability:
- Race Window Extension: Utilize timerfd to extend the race condition window.
- Reference Manipulation: Create a circular reference to force unix_gc to free a victim socket.
- Concurrent Execution: Trigger a race condition between unix_gc and queue_oob.
- Memory Reclamation: Reclaim the freed SKB using msg_msg to gain control over its destructor.
- Kernel RIP Control: Use kfree_skb to manipulate the kernel’s control flow and achieve container escape.
The vulnerability affects the following Linux kernel versions:
- v6.8 to v6.9
- v5.15.147
- v6.1.78
- v6.6.17
The issue was introduced by commit 1279f9d9d and has been fixed in commit 9841991a4. System administrators are advised to upgrade to patched versions immediately.
The availability of a PoC exploit for CVE-2024-36972 on GitHub raises the urgency for immediate action. Threat actors can weaponize the exploit to target vulnerable systems globally.
Related Posts:
- Malicious npm Packages Exploiting Typosquatting to Inject SSH Backdoors
- Malicious npm Packages Threaten Crypto Developers: Keylogging and Wallet Theft Revealed
- Roblox Developers Targeted in Supply Chain Attack with Malicious npm Packages