Skip to content

OSG-SEC-2020-09-22 CVE-2020-14386 Memory corruption in kernel on EL8 UPDATE

Dear OSG Security Contacts,

A memory corruption vulnerability described in CVE-2020-14386 [1] has been found in some versions of the Linux kernel that can result in privilege escalation. Specifically, this affects EL8 systems; RHEL 7 and CentOS 7 are not affected.

The OSG Security team considers this vulnerability to be HIGH severity.

IMPACTED VERSIONS:

Red Hat Enterprise Linux 8, CentOS 8

WHAT ARE THE VULNERABILITIES:

A memory corruption vulnerability [2] exists in code related to handling AF_PACKET sockets. An unprivileged user on systems where unprivileged user namespaces are enabled, such as EL8 systems, can acquire the CAP_NET_RAW capability to create AF_PACKET sockets and trigger this memory corruption, potentially leading to privilege escalation.

WHAT YOU SHOULD DO: UPDATE 10/26/20

RedHat has fixed this issue - see [4], fixes are now available for RedHat Enterprise Linux and its derivatives.

Sites are recommended to update relevant components. This should be carried out urgently if they have not already carried out the mitigation described in this advisory on affected hosts, especially those providing shell or container access to unprivileged users.

Additionally, the OSG Security team recommends disabling network namespaces when unprivileged user namespaces are enabled [5]:

echo "user.max_net_namespaces = 0" \
    > /etc/sysctl.d/90-max_net_namespaces.conf
sysctl -p /etc/sysctl.d/90-max_net_namespaces.conf

Note that docker uses network namespaces, unless it is invoked with --net=host. Disabling network namespaces also blocks the systemd PrivateNetwork feature, which is a feature that is used by some EL 8 services. It is also configured for some EL 7 services but they are all disabled by default. More details on this issue and potential workarounds are available in the OSG Singularity documentation [5].

Unprivileged user namespaces are enabled by default on EL8. If you are not using unprivileged user namespaces (for example for singularity), you can also mitigate this issue by disabling them:

echo "user.max_user_namespaces = 0" \
    > /etc/sysctl.d/90-max_user_namespaces.conf
sysctl -p /etc/sysctl.d/90-max_user_namespaces.conf

REFERENCES

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14386

[2] https://seclists.org/oss-sec/2020/q3/146

[3] https://access.redhat.com/security/cve/CVE-2020-14386

[4] https://access.redhat.com/errata/RHSA-2020:4286

[5] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team