May 31, 2024 at 03:35PM
CISA added two vulnerabilities to its KEV catalog, including a Linux kernel privilege escalation flaw (CVE-2024-1086) and an info disclosure flaw on VPN devices (CVE-2024-24919). The former allows local attackers to gain root-level access, with a public exploit available. CISA has set a patching deadline for federal agencies and suggested mitigations if immediate updates are not possible.
Based on the meeting notes, here are the important takeaways:
1. CISA has added two vulnerabilities to its KEV catalog:
a. CVE-2024-1086: A high-severity Linux kernel privilege elevation flaw
b. CVE-2024-24919: An information disclosure vulnerability impacting VPN devices from Check Point
2. For CVE-2024-1086:
– It was first disclosed on January 31, 2024, and was fixed via a commit in January 2024.
– Exploitation allows an attacker with local access to achieve privilege escalation on the target system.
– The fix has been backported to multiple stable kernel versions.
– A detailed write-up and proof-of-concept exploit was published in late March 2024, showcasing how to achieve local privilege escalation.
– Admins are recommended to apply mitigations if updating is not possible.
– Federal agencies have until June 20, 2024, to apply available patches.
3. For CVE-2024-24919:
– It impacts VPN devices from Check Point.
These are the key points from the meeting notes. Let me know if you need any additional information or if there are specific action items that need to be addressed.