针对 Linux 内核权限提升漏洞（CVE-2024-1086）的活跃利用观察

发布于 7 月 24 日

Summary: CISA added CVE-2024-1086 to its Known Exploited Vulnerability Catalog in late January 2024. It's a use-after-free vulnerability in the Linux kernel's netfilter with a CVSS of 7.8 (High). Since disclosure, adversaries have been targeting it. A security researcher released a POC on March 26. CrowdStrike's ExPRT.AI upgraded the severity to Critical in April. Their teams observed threat actors trying to exploit it in mid-April. CISA added it again in May. The vulnerability affects major Linux distributions. It's caused by an nf_tables component flaw. The POC achieves local privilege escalation. CrowdStrike uses a layered approach with machine learning and IOAs to prevent exploitation. Customers can use Falcon Exposure Management to identify vulnerable systems. They should assess their environment and apply patches. Relevant hash is provided. Additional resources include details about Falcon Exposure Management, Falcon Spotlight, and a free trial of Falcon Prevent.
Main points:
- CVE-2024-1086 details and its impact on Linux distributions.
- Security researcher's POC and its exploit details.
- CrowdStrike's detection and prevention measures.
- Recommendations for customers to assess and patch.
Key information:
- Disclosed on January 31, 2024.
- Severity upgraded to Critical by CrowdStrike.
- Affected Linux kernel versions.
- CrowdStrike's detection and prevention tools.
Important details:
- Specific dates of events like March 26 and May 30.
- Details of the vulnerability in the Linux kernel.
- How CrowdStrike's prevention works with specific figures.

阅读 14