Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://fosstodon.org/users/LWN/statuses/112576512652250710">LWN.net (lwn@fosstodon.org)'s status on Saturday, 08-Jun-2024 02:49:23 JST</a><a href="https://fosstodon.org/@LWN" title="lwn@fosstodon.org"><img src="https://gnusocial.jp/avatar/7998-48-20220831134033.webp" width="48" height="48" alt="LWN.net" style="position: absolute; left: 0; top: 0;">LWN.net</a></section><article><p>Linux nftables vulnerability exploited in the wild (CrowdStrike) <a href="https://lwn.net/Articles/977583/" rel="nofollow noreferrer">https://lwn.net/Articles/977583/</a> <a href="https://fosstodon.org/tags/LWN" rel="tag">#LWN</a></p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/3207849#notice-6336470">In conversation</a><time datetime="2024-06-08T02:49:23+09:00" title="Saturday, 08-Jun-2024 02:49:23 JST">about 6 months ago</time> <span>from <span><a href="https://fosstodon.org/@LWN/112576512652250710" rel="external" title="Sent from fosstodon.org via ActivityPub">fosstodon.org</a></span></span><a href="https://fosstodon.org/@LWN/112576512652250710">permalink</a><h4>Attachments</h4><ol><li><article><header><div>Domain not in remote thumbnail source whitelist: static.lwn.net</div><h5><a href="https://lwn.net/Articles/977583/">Linux nftables vulnerability exploited in the wild (CrowdStrike)</a></h5><div></div></header><div>According to CrowdStrike, avulnerability in the Linux kernel's nftables code
that was  discovered earlier this
year is being actively exploited in the wild. The vulnerability allows for
local privilege escalation. Most distributions have already released a fix.As noted by the exploit developer, leveraging this POC is dependent on the
kernel's unprivileged user namespaces feature accessing nf_tables. This access
is enabled by default on Debian, Ubuntu and kernel capture-the-flag (CTF)
distributions. An attacker can then trigger the double-free vulnerability, scan
the physical memory for the kernel base address, bypass kernel address-space
layout randomization (KASLR) and access the modprobe_path kernel variable with
read/write privileges. After overwriting the modprobe_path, the exploit drops a
root shell.</div><footer></footer></article></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
LWN.net (lwn@fosstodon.org)'s status on Saturday, 08-Jun-2024 02:49:23 JST LWN.net
Linux nftables vulnerability exploited in the wild (CrowdStrike) https://lwn.net/Articles/977583/ #LWN
In conversationabout 6 months ago from fosstodon.orgpermalink
Attachments
1. Domain not in remote thumbnail source whitelist: static.lwn.net
  Linux nftables vulnerability exploited in the wild (CrowdStrike)
  According to CrowdStrike, a vulnerability in the Linux kernel's nftables code that was discovered earlier this year is being actively exploited in the wild. The vulnerability allows for local privilege escalation. Most distributions have already released a fix. As noted by the exploit developer, leveraging this POC is dependent on the kernel's unprivileged user namespaces feature accessing nf_tables. This access is enabled by default on Debian, Ubuntu and kernel capture-the-flag (CTF) distributions. An attacker can then trigger the double-free vulnerability, scan the physical memory for the kernel base address, bypass kernel address-space layout randomization (KASLR) and access the modprobe_path kernel variable with read/write privileges. After overwriting the modprobe_path, the exploit drops a root shell.

Public

Embed Notice

HTML Code

Corresponding Notice