Bug 57206 – CVE-2024-1086 | Linux kernel's netfilter: nf_tables component can be exploited

Bug 57206 - CVE-2024-1086 | Linux kernel's netfilter: nf_tables component can be exploited


Summary:	CVE-2024-1086 \| Linux kernel's netfilter: nf_tables component can be exploited

Status:	NEW

Product:	UCS
Classification:	Unclassified
Component:	Security updates
Version:	UCS 5.0
Hardware:	Other Linux

Importance:	P3 normal (vote)
Target Milestone:	---
Assigned To:	UCS maintainers
QA Contact:	UCS maintainers

URL:	https://nvd.nist.gov/vuln/detail/CVE-...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2024-04-03 10:15 CEST by Finn David
Modified:	2024-04-08 08:37 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Security Issue
What type of bug is this?:	---
Who will be affected by this bug?:	---
How will those affected feel about the bug?:	---
User Pain:
Enterprise Customer affected?:	Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:	2024040221000182
Bug group (optional):	Security
Max CVSS v3 score:	7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Finn David

2024-04-03 10:15:24 CEST

The customer is asking for a possible security patch, as there is none provided by the debian security tracker.

Comment 2 Philipp Hahn

2024-04-03 11:48:23 CEST

UCS 5.0 uses "nf_tables":

# uname -r
4.19.0-26-amd64
# grep -o nf_table /proc/modules
nf_tables

According to [Ubuntu](https://ubuntu.com/security/CVE-2024-1086) the vulnerability can be mitigated by disabling "unprivileged user name space cloning":

# sysctl kernel.unprivileged_userns_clone
kernel.unprivileged_userns_clone = 0

So UCS should not be vulnerable by default — unless when you add your own (exploitable) firewall rules, in which case you are already "root" and do not need the exploit to become root: Attack-Vector (AV) is "Local".