CISA Adds Critical Linux Kernel Flaws to Known Exploited Vulnerabilities Catalog: What You Need to Know

Listen to this Post

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recently updated its Known Exploited Vulnerabilities (KEV) catalog, now including two critical flaws affecting the Linux kernel. These vulnerabilities, identified as CVE-2024-53197 and CVE-2024-53150, are tied to issues within the Linux kernel’s ALSA USB-audio driver, which could lead to severe security risks if exploited. Here’s a deep dive into what these vulnerabilities mean, their impact, and what actions need to be taken to mitigate potential risks.

A Closer Look at the Flaws: CVE-2024-53197 and CVE-2024-53150

The first vulnerability, CVE-2024-53197, has a CVSS score of 7.8 and affects the ALSA USB-audio driver in Linux systems. The flaw arises when the driver mishandles USB configuration data, specifically the bNumConfigurations field provided by connected USB devices. If this field exceeds the allocated memory space, it opens the door for out-of-bounds memory access. The result is memory corruption or system instability, which could be exploited by attackers for arbitrary code execution.

To fix this issue, the Linux kernel now includes a safeguard that validates the configuration count before use, preventing access to memory beyond the allocated space. This step ensures better security by addressing the potential for dangerous system behavior that could be triggered by this flaw.

The second vulnerability, CVE-2024-53150, also carries a CVSS score of 7.8 and resides in the same ALSA USB-audio driver. This flaw involves the failure of the driver to properly validate the bLength field in USB audio clock descriptors. If a USB device supplies a descriptor with a shorter-than-expected bLength, this could lead to out-of-bounds reads, enabling malicious actors to access unauthorized data.

In both cases, these vulnerabilities pose a significant risk to users and organizations running vulnerable Linux systems. Experts recommend swift action to mitigate the impact, as attackers could exploit these flaws to compromise systems or conduct further attacks.

What Undercode Says:

The inclusion of these flaws in the KEV catalog by CISA underscores their seriousness. With CVE-2024-53197 and CVE-2024-53150 now added to the list of known exploited vulnerabilities, organizations must prioritize patching these weaknesses in their systems. CISA’s directive to federal agencies to address these vulnerabilities by April 30, 2025, sends a clear message about the urgency of the situation.

Both of these vulnerabilities are tied to the ALSA USB-audio driver, which is a critical component of the Linux kernel responsible for handling USB audio devices. The fact that two separate vulnerabilities have been identified within this subsystem highlights a broader issue with the driver’s handling of USB configuration data. Given the nature of these vulnerabilities—out-of-bounds memory access and invalid data validation—an attacker who successfully exploits them could cause significant damage. Whether it’s crashing a system, corrupting memory, or executing arbitrary code, the potential impact is serious.

For private organizations, these vulnerabilities pose an immediate threat, especially if they’re running Linux-based systems with audio devices connected via USB. The requirement for federal agencies to patch these vulnerabilities by a specific date, as outlined in Binding Operational Directive (BOD) 22-01, also emphasizes the critical nature of these flaws. The government’s emphasis on addressing these vulnerabilities to safeguard national security infrastructure serves as a reminder that cyber threats remain an ever-present concern.

Organizations must be vigilant and proactive in reviewing their systems for these flaws. As CISA continues to monitor and update its catalog of known vulnerabilities, it’s clear that there’s a growing emphasis on addressing flaws that could lead to significant breaches or system instability.

Fact Checker Results

  1. Vulnerability Severity: Both CVE-2024-53197 and CVE-2024-53150 carry a CVSS score of 7.8, classifying them as high-severity vulnerabilities.

  2. Action Required: CISA mandates that federal agencies address these vulnerabilities by April 30, 2025, with experts urging private organizations to follow suit.

  3. Fixes Implemented: Patches have been issued for these vulnerabilities, which include validating configuration data before use and improving descriptor validation to prevent memory access issues.

References:

Reported By: securityaffairs.com
Extra Source Hub:
https://www.medium.com
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image