{ "threat_severity" : "Important", "public_date" : "2020-09-03T00:00:00Z", "bugzilla" : { "description" : "kernel: memory corruption in net/packet/af_packet.c leads to elevation of privilege", "id" : "1875699", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1875699" }, "cvss3" : { "cvss3_base_score" : "7.8", "cvss3_scoring_vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-786", "details" : [ "A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.", "A flaw was found in the Linux kernel. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability." ], "statement" : "Only local users with CAP_NET_RAW capability enabled can trigger this issue.\nFor OpenShift Container Platform 4, pods in the default restricted SCC are granted CAP_NET_RAW by default. An attacker can exploit this if they can run arbitrary container images on the target cluster.", "acknowledgement" : "Red Hat would like to thank Or Cohen (paloaltonetworks.com) for reporting this issue.", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-10-20T00:00:00Z", "advisory" : "RHSA-2020:4289", "cpe" : "cpe:/a:redhat:enterprise_linux:8::nfv", "package" : "kernel-rt-0:4.18.0-193.28.1.rt13.77.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-10-20T00:00:00Z", "advisory" : "RHSA-2020:4286", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kernel-0:4.18.0-193.28.1.el8_2" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2020-10-26T00:00:00Z", "advisory" : "RHSA-2020:4331", "cpe" : "cpe:/o:redhat:enterprise_linux:8", "package" : "kpatch-patch" }, { "product_name" : "Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions", "release_date" : "2020-11-24T00:00:00Z", "advisory" : "RHSA-2020:5199", "cpe" : "cpe:/o:redhat:rhel_e4s:8.0", "package" : "kernel-0:4.18.0-80.31.1.el8_0" }, { "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date" : "2020-10-20T00:00:00Z", "advisory" : "RHSA-2020:4287", "cpe" : "cpe:/o:redhat:rhel_eus:8.1", "package" : "kernel-0:4.18.0-147.32.1.el8_1" }, { "product_name" : "Red Hat Enterprise Linux 8.1 Extended Update Support", "release_date" : "2020-10-26T00:00:00Z", "advisory" : "RHSA-2020:4332", "cpe" : "cpe:/o:redhat:rhel_eus:8.1", "package" : "kpatch-patch" } ], "package_state" : [ { "product_name" : "Red Hat Enterprise Linux 5", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:5" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-alt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise Linux 7", "fix_state" : "Not affected", "package_name" : "kernel-rt", "cpe" : "cpe:/o:redhat:enterprise_linux:7" }, { "product_name" : "Red Hat Enterprise MRG 2", "fix_state" : "Not affected", "package_name" : "kernel", "cpe" : "cpe:/a:redhat:enterprise_mrg:2" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2020-14386\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-14386\nhttps://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=acf69c946233259ab4d64f8869d4037a198c7f06\nhttps://seclists.org/oss-sec/2020/q3/146" ], "name" : "CVE-2020-14386", "mitigation" : { "value" : "If the CAP_NET_RAW capability disabled by default (which is true for Red Hat Enterprise Linux), then only a privileged user can trigger this bug. The mitigation is to disable CAP_NET_RAW capability for regular users and for executables.\nOn Red Hat Enterprise Linux 8 CAP_NET_RAW capability can be also gained by exploiting unprivileged user namespaces. The mitigation is to disable unprivileged user namespaces by setting user.max_user_namespaces to 0:\n# echo \"user.max_user_namespaces=0\" > /etc/sysctl.d/userns.conf\n# sysctl -p /etc/sysctl.d/userns.conf\nOpenShift Container Platform 4.5 and 4.4 this can be mitigated by removing `CAP_NET_RAW` from the default cri-o capabilities provided to pods (NOTE: This may prevent `ping` from working in unprivileged pods. This fix has not been validated for OpenShift 4.3 or below):\n```\napiVersion: machineconfiguration.openshift.io/v1\nkind: MachineConfig\nmetadata:\nlabels:\nmachineconfiguration.openshift.io/role: worker\nname: 50-reset-crio-capabilities\nspec:\nconfig:\nignition:\nversion: 2.2.0\nstorage:\nfiles:\n- contents:\nsource: data:text/plain;charset=utf-8;base64,W2NyaW8ucnVudGltZV0KZGVmYXVsdF9jYXBhYmlsaXRpZXMgPSBbCiAgICAiQ0hPV04iLAogICAgIkRBQ19PVkVSUklERSIsCiAgICAiRlNFVElEIiwKICAgICJGT1dORVIiLAogICAgIlNFVEdJRCIsCiAgICAiU0VUVUlEIiwKICAgICJTRVRQQ0FQIiwKICAgICJORVRfQklORF9TRVJWSUNFIiwKICAgICJTWVNfQ0hST09UIiwKICAgICJLSUxMIiwKXQo=\nfilesystem: root\nmode: 0644\npath: /etc/crio/crio.conf.d/reset-crio-capabilities.conf\n```\nCreate this MachineConfig object via e.g. `oc apply`. More information about MachineConfig can be found here: \nhttps://github.com/openshift/machine-config-operator\nhttps://docs.openshift.com/container-platform/4.5/architecture/architecture-rhcos.html\nIn order to monitor the rollout of this change, use `oc describe machineconfigpool/worker`.\nCheck for any pods which start to crash after this is applied; they may need to be adjusted request `CAP_NET_RAW` explicitly. More information:\nhttps://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container\nhttps://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html", "lang" : "en:us" }, "csaw" : false }