CVE-2024-0193 – A use-after-free vulnerability in the Linux ker... (How to Fix)

Q: What is the severity of CVE-2024-0193?

CVE-2024-0193 has a CVSS score of 7.8 (HIGH). A use-after-free vulnerability in the Linux kernel's netfilter subsystem allows local unprivileged users with CAP_NET_ADMIN capability to escalate privileges. This flaw occurs when the catchall element is garbage-collected during pipapo set removal, causing double deactivation and memory corruption. Only Linux systems with netfilter enabled and users having CAP_NET_ADMIN are affected.

📋 TL;DR

A use-after-free vulnerability in the Linux kernel's netfilter subsystem allows local unprivileged users with CAP_NET_ADMIN capability to escalate privileges. This flaw occurs when the catchall element is garbage-collected during pipapo set removal, causing double deactivation and memory corruption. Only Linux systems with netfilter enabled and users having CAP_NET_ADMIN are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: Specific versions vary by distribution; generally Linux kernel versions before fixes in 2024.

Operating Systems: Linux distributions using affected kernel versions (e.g., RHEL, CentOS, Ubuntu)

Default Config Vulnerable: ⚠️ Yes

Notes: Requires netfilter subsystem enabled and user with CAP_NET_ADMIN capability; many default Linux installations include netfilter.

📦 What is this software?

Enterprise Linux by Redhat

View all CVEs affecting Enterprise Linux →

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, enabling complete system compromise, data theft, and persistence establishment.

🟠

Likely Case

Local privilege escalation by users with CAP_NET_ADMIN, leading to unauthorized administrative access and potential lateral movement.

🟢

If Mitigated

Limited impact if CAP_NET_ADMIN is restricted and systems are patched; unprivileged users remain unaffected.

🌐 Internet-Facing: LOW - Requires local access and CAP_NET_ADMIN; not directly exploitable over network.

🏢 Internal Only: MEDIUM - Internal users with CAP_NET_ADMIN could exploit; risk depends on user privilege distribution.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and CAP_NET_ADMIN; no public proof-of-concept confirmed as of analysis.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by distribution; refer to Red Hat advisories RHSA-2024:1018, RHSA-2024:1019, etc., for specific patched versions.

Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:1018

Restart Required: Yes

Instructions:

1. Update kernel package using package manager (e.g., 'yum update kernel' for RHEL). 2. Reboot system to load new kernel. 3. Verify kernel version post-reboot.

🔧 Temporary Workarounds

Restrict CAP_NET_ADMIN

linux

Limit CAP_NET_ADMIN capability to trusted users only to reduce attack surface.

Use 'setcap' or security modules (e.g., SELinux) to manage capabilities.

Disable netfilter if unused

linux

Remove or disable netfilter module if not required for system functionality.

Check with 'lsmod | grep nf' and remove with 'modprobe -r nf_tables' if safe.

🧯 If You Can't Patch

Apply strict access controls to limit users with CAP_NET_ADMIN capability.
Monitor system logs for unusual privilege escalation attempts and kernel crashes.

🔍 How to Verify

Check if Vulnerable:

Check kernel version against patched versions in vendor advisories; e.g., for RHEL: 'uname -r' and compare to RHSA lists.

Check Version:

uname -r

Verify Fix Applied:

After update and reboot, confirm kernel version matches patched version from vendor advisory.

📡 Detection & Monitoring

Log Indicators:

Kernel panic logs, privilege escalation attempts in audit logs, unusual process behavior with elevated privileges.

Network Indicators:

Not applicable; local exploit only.

SIEM Query:

Example: search for 'kernel: BUG:' or 'audit: user escalation' in system logs.

📊 Metadata

CVE ID: CVE-2024-0193

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: January 2, 2024

Last Updated: November 21, 2024

🔗 References

https://access.redhat.com/errata/RHSA-2024:1018
https://access.redhat.com/errata/RHSA-2024:1019
https://access.redhat.com/errata/RHSA-2024:1248
https://access.redhat.com/errata/RHSA-2024:2094
https://access.redhat.com/errata/RHSA-2024:4412
https://access.redhat.com/errata/RHSA-2024:4415
https://access.redhat.com/security/cve/CVE-2024-0193 Mitigation,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2255653 Issue Tracking,Patch,Third Party Advisory
https://access.redhat.com/errata/RHSA-2024:1018
https://access.redhat.com/errata/RHSA-2024:1019
https://access.redhat.com/errata/RHSA-2024:1248
https://access.redhat.com/errata/RHSA-2024:2094
https://access.redhat.com/errata/RHSA-2024:4412
https://access.redhat.com/errata/RHSA-2024:4415
https://access.redhat.com/security/cve/CVE-2024-0193 Mitigation,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2255653 Issue Tracking,Patch,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0193, you might also want to check these: