A new vulnerability was discovered in the Netfilter subsystem in the Linux kernel identified as CVE-2024-1068. The CloudLinux team is actively working to address and mitigate the security issue within our software.
Details on Vulnerability
A vulnerability has been discovered in the Netfilter subsystem of the Linux kernel. This flaw is found in the nft_verdict_init() function, which allows positive values to be interpreted as drop errors in the hook verdict. As a result, the nf_hook_slow() function could trigger a double-free vulnerability when NF_DROP is issued with a drop error similar to NF_ACCEPT. Exploiting this issue in the nf_tables component could result in local privilege escalation. Find more information here.
Mitigation for CloudLinux OS Servers
Use the following commands to update the system to the latest kernel:
for cl8: yum install kernel-4.18.0-513.18.1.lve.2.el8.x86_64
for cl7h: yum install kernel-4.18.0-513.18.1.lve.2.el7h.x86_64
If a rollout slot is not available, you can perform an immediate update using the following commands:
for cl8: yum install kernel-4.18.0-513.18.1.lve.2.el8.x86_64 --enablerepo=cloudlinux-rollout-3-bypass
for CL7h: yum install kernel-4.18.0-513.18.1.lve.2.el7h.x86_64 --enablerepo=cloudlinux-rollout-3-bypass