CVE-2024-26581 PoC Exploit Released: Linux Systems at Risk of Root Compromise

Security researchers have disclosed technical details and proof-of-concept (PoC) exploit code for CVE-2024-26581, a critical vulnerability in the Linux kernel with a CVSS score of 7.8. This flaw, located in the nftsetrbtree
function of nftables, allows local authenticated attackers to obtain sensitive information from affected systems. The vulnerability, which affects Linux kernel versions 6.1.9 and later, 5.15.91 and later, and 5.10.166 and later, arises from a lack of a crucial check in the nftrbtreegc_elem
function, leading to a use-after-free condition during transaction rollbacks. Attackers can exploit this by inserting set elements with specific flags before triggering an error condition, potentially escalating privileges to root level. Administrators are advised to update their systems, monitor nftables activity, and implement additional security measures such as SELinux to mitigate risks.
The attacker begins by exploiting the vulnerability in the nftsetrbtree
function of the Linux kernel, sending a specially crafted request to trigger a use-after-free condition. Following this, the attacker leverages the use-after-free condition to escalate privileges by modifying process credentials. BlueRock's Process Credential Protection is crucial here, as it prevents unauthorized privilege escalation by blocking attempts to overwrite process credentials with high-privileged values. Without BlueRock, the attacker attempts to gain full control over the system by chaining the initial exploit with subsequent attacks.
- T1190: Exploit Public-Facing Application: The attacker begins by exploiting a vulnerability within the Linux kernel, specifically targeting the nftsetrbtree function. This function is responsible for managing sets in nftables. The vulnerability allows local authenticated attackers to obtain sensitive information by sending a specially crafted request. This corresponds to the technique of Exploiting Public-Facing Application.
- T1068: Exploitation for Privilege Escalation: Once the attacker has successfully triggered the vulnerability, they exploit the use-after-free condition in the nftrbtreegc_elem function. This condition occurs because the function lacks a crucial check, leading to memory that has been deallocated being inadvertently accessed. This can be classified under Exploitation for Privilege Escalation.
- T1005: Data from Local System: The attacker leverages the leaked information from the initial exploit to craft further attacks. By inserting a set element with specific flags and triggering an error condition, they cause a double deletion of a set element. This is a classic example of leveraging information disclosure to further exploit a system, aligning with Data from Local System.
- T1078: Valid Accounts: The attacker then escalates their privileges to root level by chaining the initial exploit with subsequent attacks. This allows them to gain full control over the affected system, fitting the technique of Privilege Escalation.
F1: Exploiting CVE-2024-26581 for information disclosure by triggering a flaw in nftsetrbtree
.
- Attacker gains access as a
local authenticated
user on a Linux system with a vulnerable kernel version (e.g., 6.1.9+, 5.15.91+, 5.10.166+). (Cited from: "allowing local authenticated attackers to obtain sensitive information", "Linux kernel versions 6.1.9 and later, 5.15.91 and later, and 5.10.166 and later are confirmed to be susceptible") - Attacker crafts a
specially crafted request
targeting thenftsetrbtree
function within the nftables framework. (Cited from: "An attacker can trigger this flaw by sending a specially crafted request", "The vulnerability resides within the nftsetrbtree function") - Attacker sends the crafted request, causing the
nftsetrbtree
function to improperly handle an interval lookup during a transaction. - The flaw results in the
unauthorized disclosure of an “end interval element”
during the transaction. (Cited from: "resulting in the unauthorized disclosure of an “end interval element” during a transaction")- BR-41: Container Memory Namespace Isolation - This mechanism is applicable because it isolates memory between namespaces. While not preventing the kernel flaw itself, strong memory isolation could potentially limit the scope or sensitivity of the leaked 'end interval element', making it harder for the attacker to gain useful information about other processes or critical kernel regions outside the affected namespace.
- BR-68: Spaces-based Strong Isolation - This mechanism is applicable because it provides strong physical memory isolation based on active memory namespaces. Similar to BR-41, this could limit the usefulness of the leaked information by preventing the disclosed element from revealing addresses or data related to other isolated memory spaces. Note: This mechanism is currently a proof of concept.
- Attacker captures this
leaked information
, which could contain sensitive kernel memory details. (Cited from: "This leaked information could then be exploited for further malicious activities", "demonstrating the feasibility of leveraging this vulnerability for information leakage")
F2: Triggering a Use-After-Free (UAF) condition via CVE-2024-26581 by manipulating nftables set elements during transaction rollback.
- Attacker gains
local authenticated
access on a vulnerable Linux system. (Cited from: "allowing local authenticated attackers to obtain sensitive information") - Attacker interacts with the
nftables framework
to manipulate set elements. (Cited from: "vulnerability occurs during the rollback of a transaction in the nftables framework") - Attacker inserts a set element with the
NFTASETELEM_EXPIRATION
andNFTASETELEM_TIMEOUT
flags. (Cited from: "insert a set element with the NFTASETELEMEXPIRATION and NFTASETELEMTIMEOUT flags") - Attacker subsequently inserts another element with the
NFTSETELEMINTERVALEND
flag into the same set. (Cited from: "followed by another element with the NFTSETELEMINTERVALEND flag") - Attacker deliberately
triggers an error condition
within the nftables transaction. (Cited from: "before triggering an error condition") - The error triggers the transaction rollback mechanism (
nftablesabort
). (Cited from: "When an error is detected, the rollback mechanism (nftablesabort) is triggered") - During rollback, the
nftrbtreegc_elem
function is called, whichlacks a crucial check
on the 'setelement' referenced by 'prev'. (Cited from: "The core issue lies in the nftrbtreegc_elem function, which lacks a crucial check on the ‘setelement’ referenced by ‘prev’") - This omission leads to the
potential double deletion
(double free) of a set element, creating a Use-After-Free condition. (Cited from: "leading to the potential double deletion of a set element", "This omission can trigger a use-after-free condition")- BR-35: Kernel Integrity Protection - This mechanism is applicable because it protects kernel code and read-only data regions from unauthorized writes. If the exploitation of the UAF condition involves attempting to write to these protected memory areas (e.g., to overwrite code or critical read-only data), BR-35 would detect and potentially block the attempt.
- BR-45: Page Table Protection - This mechanism is applicable because it asynchronously verifies the integrity of kernel page tables. If the attacker leverages the UAF to modify kernel page table entries (e.g., to remap memory or bypass protections), BR-45 could detect this tampering after the fact.
- BR-41: Container Memory Namespace Isolation - This mechanism is applicable because it isolates memory between namespaces. While it doesn't fix the UAF flaw itself, it could potentially contain the immediate impact of the memory corruption within the affected namespace, making it harder for the corruption to directly affect other isolated processes or critical kernel structures.
- BR-68: Spaces-based Strong Isolation - This mechanism is applicable because it provides strong physical memory isolation. Similar to BR-41, it could help contain the memory corruption resulting from the UAF, limiting its spread and impact across different isolated memory spaces. Note: This mechanism is currently a proof of concept.
F3: Leveraging the initial CVE-2024-26581 exploit (information leak or UAF) as a stepping stone towards potential privilege escalation.
- Attacker successfully executes either the information disclosure (F1) or the Use-After-Free trigger (F2). (Cited from: "information leakage", "use-after-free condition")
- Attacker uses the obtained information (e.g., leaked kernel addresses from F1) or the memory corruption primitive (from the UAF in F2) in subsequent, carefully crafted attacks. (Cited from: "This leaked information could then be exploited for further malicious activities", "By chaining this initial exploit with carefully crafted subsequent attacks")
- The ultimate goal of these chained attacks is to
escalate privileges to the root level
. (Cited from: "an attacker could potentially escalate their privileges to the root level, gaining full control over the affected system")