Seven-Year-Old Linux Kernel Bug Opens Door to Remote Code Execution

Researchers have uncovered a critical vulnerability in the Linux kernel, dating back seven years, that could allow attackers to execute remote code.

The flaw, identified in the core TCP subsystem, was introduced through a race condition in the inet_twsk_hashdance function.

This issue, now tracked as CVE-2024-36904, was patched last year after being reported by security researchers.

Technical Breakdown of the Vulnerability

The vulnerability stems from a race condition between the tcp_twsk_unique() and inet_twsk_hashdance() functions.

Specifically, the issue arises because a time-wait TCP socket’s reference counter is initialized after being inserted into a hash table and releasing a lock.

If a lookup occurs before this initialization, the object is found with a zeroed reference counter, triggering warnings and potentially leading to use-after-free scenarios.

The flaw was first noticed during routine audits of the Linux kernel source code and fuzzing tests using tools like Syzkaller.

The researchers initially aimed to reproduce another known bug but inadvertently discovered this deeper issue.

They confirmed its presence in several Linux distributions, including Red Hat Enterprise Linux derivatives and Fedora.

Exploitation Potential

While Linux kernels include protections against reference counter issues, this vulnerability bypasses those safeguards under specific conditions.

If operations on the socket follow an exact sequence, the reference counter can become unbalanced, leading to premature object release and genuine use-after-free exploitation.

This could allow attackers to execute arbitrary code within the kernel context.

Proof-of-concept exploits demonstrated that this vulnerability could be triggered under controlled conditions.

However, real-world exploitation would require precise timing and understanding of kernel internals.

The vulnerability was patched upstream in May 2024. Administrators are urged to update their systems to kernel versions containing the fix.

For Red Hat Enterprise Linux derivatives and other affected distributions, applying vendor-provided patches is critical.

Allele Security discovery underscores the importance of proactive kernel auditing and patching practices.

As vulnerabilities can persist unnoticed for years, organizations should prioritize timely updates to mitigate risks associated with legacy flaws.

The CVE-2024-36904 case highlights how even long-standing vulnerabilities can pose significant security threats if left unaddressed.

Are you from SOC/DFIR Team? - Join 500,000+ Researchers to Analyze Cyber Threats with ANY.RUN Sandbox - Try for Free