Skip to content

OSG-SEC-2020-09-22 CVE-2020-14386 Memory corruption in kernel on EL8

Dear OSG Security Contacts,

A memory corruption vulnerability described in CVE-2020-14386 [1] has been found in some versions of the Linux kernel that can result in privilege escalation. Specifically, this affects EL8 systems; RHEL 7 and CentOS 7 are not affected.

The OSG Security team considers this vulnerability to be HIGH severity.

IMPACTED VERSIONS:

Red Hat Enterprise Linux 8, CentOS 8

WHAT ARE THE VULNERABILITIES:

A memory corruption vulnerability [2] exists in code related to handling AF_PACKET sockets. An unprivileged user on systems where unprivileged user namespaces are enabled, such as EL8 systems, can acquire the CAP_NET_RAW capability to create AF_PACKET sockets and trigger this memory corruption, potentially leading to privilege escalation.

WHAT YOU SHOULD DO:

A patched kernel is not yet available. The Red Hat security announcement [3] recommends disabling the CAP_NET_RAW capability for regular users and executables as a mitigation.

Additionally, the OSG Security team recommends disabling network namespaces when unprivileged user namespaces are enabled [4]:

echo "user.max_net_namespaces = 0" \
    > /etc/sysctl.d/90-max_net_namespaces.conf
sysctl -p /etc/sysctl.d/90-max_net_namespaces.conf

Note that docker uses network namespaces, unless it is invoked with --net=host.

Unprivileged user namespaces are enabled by default on EL8. If you are not using unprivileged user namespaces (for example for singularity), you can also mitigate this issue by disabling them:

echo "user.max_user_namespaces = 0" \
    > /etc/sysctl.d/90-max_user_namespaces.conf
sysctl -p /etc/sysctl.d/90-max_user_namespaces.conf

REFERENCES

[1] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14386

[2] https://seclists.org/oss-sec/2020/q3/146

[3] https://access.redhat.com/security/cve/CVE-2020-14386

[4] https://opensciencegrid.org/docs/worker-node/install-singularity/#enabling-unprivileged-singularity

Please contact the OSG security team at [email protected] if you have any questions or concerns.

OSG Security Team