CVE-2024-26581 PoC Exploit Released: Linux Systems at Risk of Root Compromise
Security researchers have disclosed technical details and proof-of-concept (PoC) exploit code for CVE-2024-26581, a critical vulnerability in the Linux kernel with a CVSS score of 7.8. This flaw, located in the nft_set_rbtree function of nftables, allows local authenticated attackers to obtain sensitive information from affected systems. The vulnerability, which affects Linux kernel versions 6.1.9 and later, 5.15.91 and later, and 5.10.166 and later, arises from a lack of a crucial check in the nft_rbtree_gc_elem function, leading to a use-after-free condition during transaction rollbacks. Attackers can exploit this by inserting set elements with specific flags before triggering an error condition, potentially escalating privileges to root level. Administrators are advised to update their systems, monitor nftables activity, and implement additional security measures such as SELinux to mitigate risks.
The attacker begins by exploiting the vulnerability in the nft_set_rbtree function of the Linux kernel, sending a specially crafted request to trigger a use-after-free condition. Following this, the attacker leverages the use-after-free condition to escalate privileges by modifying process credentials. BlueRock's Process Credential Protection is crucial here, as it prevents unauthorized privilege escalation by blocking attempts to overwrite process credentials with high-privileged values. Without BlueRock, the attacker attempts to gain full control over the system by chaining the initial exploit with subsequent attacks.
- T1190: Exploit Public-Facing Application: The attacker begins by exploiting a vulnerability within the Linux kernel, specifically targeting the nft_set_rbtree function. This function is responsible for managing sets in nftables. The vulnerability allows local authenticated attackers to obtain sensitive information by sending a specially crafted request. This corresponds to the technique of Exploiting Public-Facing Application.
- T1068: Exploitation for Privilege Escalation: Once the attacker has successfully triggered the vulnerability, they exploit the use-after-free condition in the nft_rbtree_gc_elem function. This condition occurs because the function lacks a crucial check, leading to memory that has been deallocated being inadvertently accessed. This can be classified under Exploitation for Privilege Escalation.
- T1005: Data from Local System: The attacker leverages the leaked information from the initial exploit to craft further attacks. By inserting a set element with specific flags and triggering an error condition, they cause a double deletion of a set element. This is a classic example of leveraging information disclosure to further exploit a system, aligning with Data from Local System.
- T1078: Valid Accounts: The attacker then escalates their privileges to root level by chaining the initial exploit with subsequent attacks. This allows them to gain full control over the affected system, fitting the technique of Privilege Escalation.
