Patch CVE-2020-14386 Without Reboot With KernelCare
CVE-2020-14386 is a new kernel vulnerability that can be exploited to gain root privileges from unprivileged processes. It corrupts the memory in kernels newer than 4.6 on various Linux distributions, including:
- Ubuntu Bionic (18.04) and newer
- Debian 9 and 10
- CentOS 8/RHEL 8
About Memory Corruption Vulnerabilities
Memory corruption is one of most prevalent, devastating and widely exploited vulnerabilities.
Based on the research by Chengyu Song from Georgia Tech, the root causes of this type of vulnerability are:
- Spatial errors: Missing bound check, incorrect bound check, format string, type confusion, integer overflow, etc.
- Temporal errors: Use-after-free, uninitialized data.
There are several exploit techniques exist for memory corruption vulnerabilities:
- Code injection (modification) attacks
- Control flow hijacking attacks
- Data-oriented attacks
- Information leak
- Uninitialized data use
Memory safety violations and control-flow integrity attacks have been a prominent threat to the security of enterprise infrastructures for more than two decades. These days, the need for protections against memory corruption becomes more prominent.
How It Was Identified
While auditing the 5.7 kernel sources, Or Cohen from Palo Alto Networks has discovered a moderate severity vulnerability (CVE-2020-14386) which leads to memory corruption in (net/packet/af-packet.c).
The bug occurs in tpacker_rcv function, when calculating the netoff variable (unsigned short), po->tp_reserve (unsigned int) is added to it which can overflow netoff so it gets a small value. Only a local user with CAP_NET_RAW capability enabled can trigger this vulnerability.
The bug can be exploited to gain root privileges from unprivileged processes and it corrupts the memory in kernels newer than 4.6 on various Linux distributions, including Ubuntu Bionic(18.04) and newer, Debian 9, Debian 10 & CentOS 8/RHEL 8.
How Harmful It Is
If the CAP_NET_RAW capability is disabled by default (which is the case with all RHEL products), then only a privileged user can trigger the bug. That’s why this vulnerability has a CVSS v3 Base Score of 6.7, and is rated as having a Moderate impact.
That is, it’s not easy to exploit, but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances.
How To Mitigate CVE-2020-14386
You can use one of the following methods to mitigate the CVE-2020-14386 vulnerability:
- Apply vendor’s mitigation
For example, Redhat’s mitigation is to disable CAP_NET_RAW capability for regular users and for executables, where applicable.
Canonical Ubuntu’s mitigation is to disable user_namespaces:
sudo sysctl kernel.unprivileged_userns_clone=0
No reboot required for this method.
- Update the kernel to the newest version once available.
The simplest, but certainly not the easiest way to do this, is to reboot the server and update the kernel to the newest version.
- Install security patches using live patching.
With a live patching system, such as KernelCare, the necessary fix is applied without rebooting the server. With KernelCare in particular, the KernelCare team is now creating patches that will address this vulnerability. Patches for Ubuntu 18.04 and newer are expected this week, with RHEL and Debian patches following.
KernelCare Patch Release Schedule:
- Ubuntu 18.04 and newer – Monday 14th
KernelCare Patches Released:
- Proxmox 5 & 6
- Ubuntu 16.04 (Xenial Xerus)
- Ubuntu 18.04 (Bionic Beaver)
- Ubuntu 20.04 (Focal Fossa)
Read more on how KernelCare address other critical vulnerabilities:
- Zombieload 2: KernelCare Team is on it!
- SWAPGS: KernelCare patches on the way
- SACK Panic & Slowness: KernelCare Live Patches Are Here
- RIDL – Another MDS Attack that Live Patching Would Have Saved You From
- Fallout – the MDS Side Channel Attack That Isn’t Zombieload
- QEMU-KVM vhost/vhost_net Guest to Host Kernel Escape Vulnerability
- CVE–2018–1000199 patches
- Intel DDIO ‘NetCat’ Vulnerability