A Vulnerability in the Linux Kernel Went Undetected for 7 Years
Cybersecurity researchers have recently disclosed a critical vulnerability (CVE-2024-36904) in the Linux kernel that remained unnoticed for seven years. This use-after-free vulnerability could allow attackers to execute arbitrary code within the system’s core processes. A Proof-of-Concept (PoC) exploit demonstrating the feasibility of exploiting this flaw has recently been made public.
This issue resides in the TCP subsystem of the Linux kernel, specifically in the inet_twsk_hashdance() function, and is caused by a race condition.
The vulnerability occurs in the following scenario:
- When a time-wait TCP socket is added to the hash table, its reference counter is initialized with a delay.
- If another process accesses this socket before initialization completes, it may operate on an uninitialized reference counter.
- This can lead to use-after-free exploitation, allowing an attacker to execute arbitrary code at the kernel level.
This vulnerability has been assigned a CVSS 3.1 score of 7.0 (HIGH), indicating a significant security risk.
The following operating systems and products are vulnerable:
✔ Red Hat Enterprise Linux 8/9
✔ AlmaLinux 9
✔ Rocky Linux 8
✔ SUSE Linux Enterprise
✔ Amazon Linux 2/2023
✔ NetApp AFF/FAS storage systems
✔ Dell PowerProtect Cyber Recovery
Potential impacts
❌ Arbitrary code execution at the kernel level
❌ Complete system takeover
❌ Data breaches through cyberattacks
Exploitation conditions
To exploit this vulnerability, an attacker needs local access to the system and low privileges. However, privilege escalation techniques could allow attackers to gain full control over the affected device.
Researchers have observed that exploiting this vulnerability under standard conditions may take several hours.
- When tested with syzkaller, researchers were able to trigger the bug within 48 hours by running six parallel instances.
- Enabling KASAN (Kernel Address Sanitizer) and disabling the RCU flag for the TCP cache caused a kernel crash within 30 minutes.
- Experimental tests were conducted on AlmaLinux 9 (Kernel 5.14.0-362.24.2.el9_3.x86_64) in a VMware Workstation environment.
How to Protect Your System
✅ 1. Update the Linux Kernel
This vulnerability was patched in May 2024, but many Linux distributions may not have incorporated the fix into their updates yet.
For Red Hat Enterprise Linux 9, the fix is available in version 5.14-427.26.1 (July 16, 2024).
It is highly recommended to apply the latest security updates for Amazon Linux, SUSE, AlmaLinux, and other distributions immediately.
✅ 2. Implement Additional Security Measures
✔ Enable SELinux or AppArmor for added security.
✔ Monitor system logs and network activity to detect potential threats.
✔ Regularly check for new security updates and apply patches as soon as they become available.
✅ 3. Mitigating Use-After-Free Exploits
🔹 Activate kernel protection mechanisms such as KASLR, SMEP, and KPTI.
🔹 Use tools to automatically scan for kernel vulnerabilities.
🔹 Enable Exploit Mitigation Tools to prevent potential attacks.
CVE-2024-36904 is a serious vulnerability in the Linux kernel, capable of enabling arbitrary code execution and full system compromise.
💡 Key Recommendations:
🔹 Update your Linux kernel immediately!
🔹 Enable SELinux or AppArmor for enhanced protection.
🔹 Continuously monitor security updates and system logs.
Since this vulnerability affects multiple Linux distributions, it is crucial to keep systems updated and apply proper security measures. Cybersecurity experts should further analyze exploitation techniques and develop effective countermeasures to mitigate potential risks.
