.png
)
Overview of the New Linux Kernel Vulnerability
A recent discovery has unveiled a critical vulnerability (CVE-2024-53141) within the Linux kernel’s IP sets framework, presenting severe security risks. This flaw allows local attackers significant privilege escalation, potentially leading to root access.
Details of the Vulnerability
Marked with a CVSS score of 7.8, this security weakness was identified by researchers st424204 and d4em0n. It impacts the bitmap:ip set type in the netfilter subsystem, due to improper management of IPSET_ATTR_CIDR parameters when the TB[IPSET_ATTR_IP_TO] is absent.
Exploitation and Security Implications
The experts have demonstrated that malicious exploitation of this flaw could lead to:
- Out-of-bounds write access to the kernel heap, enabling sensitive address leakage.
- Arbitrary writing outside allocated memory bounds.
- Conversion of out-of-bounds conditions into use-after-free vulnerabilities.
- Bypassing of Kernel Address Space Layout Randomization (KASLR).
- Redirection of kernel execution flow towards attacker-controlled code.
Technical Breakdown of the Exploit
The vulnerability manifests in the bitmap_ip implementation in ‘net/netfilter/ipset/ip_set_bitmap_ip.c’, specifically within function calls such as ‘ip_to_id.’ This function can be tricked into returning values far outside of the intended range.
An available Proof of Concept (PoC) exploit utilizes advanced techniques to:
- Heap Address Leak: Exploit the comment extension in ip_set_init_comment to leak adjacent memory addresses.
- Arbitrary OOB Write: Use the counter extension to write values outside bounds.
- Use-After-Free: Manipulate structures to convert OOB writes into exploitable UAF conditions.
- KASLR Bypass: Leak kernel addresses through heap manipulation.
- Control of RIP and ROP Chain Execution: Gain control of the instruction pointer to execute crafted ROP chains.
| Risk Factors | Details |
|---|---|
| Affected Products | Linux kernel versions 2.6.39 to 4.19.325, 6.6.64, 6.11.11, 6.12.2 (excluding patched versions) |
| Impact | Privilege escalation, kernel-level code execution, KASLR bypass, heap memory corruption, root shell access. |
| Exploit Prerequisites | Local access with low to high privileges depending on system configuration. |
| CVSS 3.1 Score | 7.8 (High) |
Urgent Call for Patching
The affected versions span from kernel 2.6.39 up to prior versions of 4.19.325, 6.6.64, 6.11.11, and 6.12.2. The vulnerability is specifically targeted in Linux kernel version 6.6.62.
Security authorities strongly urge immediate patching as the only effective countermeasure, referencing the addition of crucial range checks in the bitmap_ip_uadt function in updated kernels.
Recommendation: System administrators should apply these patches without delay to mitigate the risk, especially given the public availability of the exploit code that drastically increases the potential for malicious attacks on vulnerable systems.
Related: 5 Crucial Lessons from the 2-Hour Global Zoom Outage Linked to GoDaddy Registry Error
Last Updated: April 18, 2025
