CVE-2024-1086
KERNEL Privilege Escalation
About CVE-2024-1086
In terms of severity, the CVSS score is 7.8 out of 10. The success rate for the attack on Linux kernel v6.4.16 is approximately 99.4% (n=1000) - sometimes dropping to 93.0% (n=1000).
This vulnerability was patched by the end of January 2024.
How CVE-2024-1086 Works
The fundamental flaw is a netfilter input sanitization error. The exploitation requirements include enabling nf_tables and enabling guest user namespaces.
This vulnerability is a type of "data-only" exploit, which is only carried out by manipulating data. Therefore, it does not require arbitrary code execution in the kernel memory space; instead, the attacker maliciously manipulates existing data structures or resources in the kernel.
The attack is carried out using the novel Dirty Pagedirectory technique, known as the user-kernel-space mirroring attack (KSMA). This attack moves any physical address, along with its permissions, to a memory address. This means that by moving a physical address with root privileges into memory, the attacker could gain root privileges.
Requirements of the Attack
To exploit this vulnerability, user namespaces must be enabled (kconfig CONFIG_USER_NS=y), these user namespaces should not be privileged (achieved with the 'sh' command sysctl kernel.unprivileged_userns_clone = 1), and nf_tables must be enabled (kconfig CONFIG_NF_TABLES=y). By default, these features are active on Debian, Ubuntu, and KernelCTF systems.
In cases of high network activity on systems, the attack may be unstable. Systems with WiFi adapters can be particularly unstable when surrounded by high-traffic WiFi networks.
PoC
git clone https://github.com/Notselwyn/CVE-2024-1086
cd CVE-2024-1086
make
./exploitTo Fix the Vulnerability
Upgrade your Linux kernel version to 6.6.16 or higher. This version contains the necessary patches to fix the vulnerability.
Or you can download the patch from the following link: Patch Link