당사는 당사 웹페이지를 개선하기 위해 쿠키를 사용합니다. 당사의 쿠키 정책 을 읽으십시오.

AS-2024-003: Linux Kernel

2024-07-17

Severity

Important

Status

Resolved


Statement

CVE-2024-1086 will affect the ASUSTOR's products, this vulnerability affects Linux Kernel versions from including 3.15 and before 6.1.76. Updates with specific kernel patches will be released as soon as possible.

  • ADM 4.1 and 4.2 use Linux Kernel 5.13.
  • ADM 4.0 uses Linux Kernel 5.4.

Affected Products

Product Severity Fixed Release Availability
ADM 4.2 and 4.1 Important Upgrade to ADM 4.3.0.RSB1 or above.
ADM 4.0 Important Upgrade to ADM 4.0.7.RVG1 or above.

Detail

  • CVE-2024-1086
    • Severity: High
    • A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

Reference


Revision

Revision Date Description
1 2024-04-10 Initial public release.
2 2024-04-17 Release ADM 4.3.0.RSB1 to fix the issue.
3 2024-07-17 Release ADM 4.0.7.RVG1 to fix the issue.