We use cookies to help us improve our webpage. Please read our Cookie Policy .

ASUSTOR Product Security Advisory

AS-2024-003: Linux Kernel

2024-04-17

Severity

Important

Status

Ongoing

Statement

CVE-2024-1086 will affect the ASUSTOR's products, this vulnerability affects Linux Kernel versions from including 3.15 and before 6.1.76. Updates with specific kernel patches will be released as soon as possible.

  • ADM 4.1 and 4.2 use Linux Kernel 5.13.
  • ADM 4.0 uses Linux Kernel 5.4.

Affected Products

Product Severity Fixed Release Availability
ADM 4.2 and 4.1 Important Upgrade to ADM ADM 4.3.0.RSB1 or above.
ADM 4.0 Important Ongoing

Detail

  • CVE-2024-1086
    • Severity: High
    • A use-after-free vulnerability in the Linux kernel's netfilter: nf_tables component can be exploited to achieve local privilege escalation. The nft_verdict_init() function allows positive values as drop error within the hook verdict, and hence the nf_hook_slow() function can cause a double free vulnerability when NF_DROP is issued with a drop error which resembles NF_ACCEPT. We recommend upgrading past commit f342de4e2f33e0e39165d8639387aa6c19dff660.

Reference


Revision

Revision Date Description
1 2024-04-10 Initial public release.
2 2024-04-17 Release ADM 4.3.0.RSB1 to fix the issue.