Asustor Security Advisory AS-2024-003: Linux Kernel
Versions from including 3.15 and before 6.1.76., updates with specific kernel patches to be released ASAP
This is a Press Release edited by StorageNewsletter.com on April 30, 2024 at 2:01 pmAsustor, Inc. had published a security advisory concerning its ADM NAS OS.
Severity: Important
Status: Ongoing
Statement
CVE-2024-1086 will affect the Asustor‘s products, this vulnerability affects Linux Kernel versions from including 3.15 and before 6.1.76. Updates with specific kernel patches will be released as soon as possible.
-
ADM 4.1 and 4.2 use Linux Kernel 5.13.
-
ADM 4.0 uses Linux Kernel 5.4.
Affected products
Product |
Severity |
Fixed release availability |
---|---|---|
ADM 4.2 and 4.1 |
Important |
Upgrade to ADM ADM 4.3.0.RSB1 or above |
ADM 4.0 |
Important |
Ongoing |
Detail
- CVE-2024-1086
- Severity: High
- A use-after-free vulnerability in the Linux kernel’s netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.
Reference
Revision
Revision |
Date |
Description |
---|---|---|
1 |
2024-04-10 |
Initial public release. |
2 |
2024-04-17 |
Release ADM 4.3.0.RSB1 to fix the issue |