OSG-SEC-2020-09-22 CVE-2020-14386 Memory corruption in kernel on EL8
Dear OSG Security Contacts,
A memory corruption vulnerability described in CVE-2020-14386  has been found in some versions of the Linux kernel that can result in privilege escalation. Specifically, this affects EL8 systems; RHEL 7 and CentOS 7 are not affected.
The OSG Security team considers this vulnerability to be HIGH severity.
Red Hat Enterprise Linux 8, CentOS 8
WHAT ARE THE VULNERABILITIES:
A memory corruption vulnerability  exists in code related to handling AF_PACKET sockets. An unprivileged user on systems where unprivileged user namespaces are enabled, such as EL8 systems, can acquire the CAP_NET_RAW capability to create AF_PACKET sockets and trigger this memory corruption, potentially leading to privilege escalation.
WHAT YOU SHOULD DO:
A patched kernel is not yet available. The Red Hat security announcement  recommends disabling the CAP_NET_RAW capability for regular users and executables as a mitigation.
Additionally, the OSG Security team recommends disabling network namespaces when unprivileged user namespaces are enabled :
echo "user.max_net_namespaces = 0" \ > /etc/sysctl.d/90-max_net_namespaces.conf sysctl -p /etc/sysctl.d/90-max_net_namespaces.conf
Note that docker uses network namespaces, unless it is invoked with --net=host.
Unprivileged user namespaces are enabled by default on EL8. If you are not using unprivileged user namespaces (for example for singularity), you can also mitigate this issue by disabling them:
echo "user.max_user_namespaces = 0" \ > /etc/sysctl.d/90-max_user_namespaces.conf sysctl -p /etc/sysctl.d/90-max_user_namespaces.conf
Please contact the OSG security team at [email protected] if you have any questions or concerns.
OSG Security Team