Univention Bugzilla – Bug 57206
CVE-2024-1086 | Linux kernel's netfilter: nf_tables component can be exploited
Last modified: 2024-04-08 08:37:55 CEST
The customer is asking for a possible security patch, as there is none provided by the debian security tracker.
UCS 5.0 uses "nf_tables": # uname -r 4.19.0-26-amd64 # grep -o nf_table /proc/modules nf_tables According to [Ubuntu](https://ubuntu.com/security/CVE-2024-1086) the vulnerability can be mitigated by disabling "unprivileged user name space cloning": # sysctl kernel.unprivileged_userns_clone kernel.unprivileged_userns_clone = 0 So UCS should not be vulnerable by default — unless when you add your own (exploitable) firewall rules, in which case you are already "root" and do not need the exploit to become root: Attack-Vector (AV) is "Local".