Patch CVE-2020-14386 Without Reboot With KernelCare

Published: Sep 9, 2020 5:00:00 PM / Last update: Sep 17, 2020 / by KernelCare Team

Patch CVE-2020-14368 Without Reboot With KernelCare-min (1)

CVE-2020-14386 is a new kernel vulnerability that can be exploited to gain root privileges from unprivileged processes. It corrupts the memory in kernels newer than 4.6 on various Linux distributions, including: 

  • Ubuntu Bionic (18.04) and newer
  • Debian 9 and 10
  • CentOS 8/RHEL 8

About Memory Corruption Vulnerabilities

Memory corruption is one of most prevalent, devastating and widely exploited vulnerabilities.

Based on the research by Chengyu Song from Georgia Tech, the root causes of this type of vulnerability are:

  1. Spatial errors: Missing bound check, incorrect bound check, format string, type confusion, integer overflow, etc.
  2. Temporal errors: Use-after-free, uninitialized data.

There are several exploit techniques exist for memory corruption vulnerabilities:

  • Code injection (modification) attacks
  • Control flow hijacking attacks
  • Data-oriented attacks
  • Information leak
  • Uninitialized data use

Memory safety violations and control-flow integrity attacks have been a prominent threat to the security of enterprise infrastructures for more than two decades. These days, the need for protections against memory corruption becomes more prominent. 

 

How It Was Identified

While auditing the 5.7 kernel sources, Or Cohen from Palo Alto Networks has discovered a moderate severity vulnerability (CVE-2020-14386) which leads to memory corruption in (net/packet/af-packet.c).

The bug occurs in tpacker_rcv function, when calculating the netoff variable (unsigned short), po->tp_reserve (unsigned int) is added to it which can overflow netoff so it gets a small value. Only a local user with CAP_NET_RAW capability enabled can trigger this vulnerability.

The bug can be exploited to gain root privileges from unprivileged processes and it corrupts the memory in kernels newer than 4.6 on various Linux distributions, including Ubuntu Bionic(18.04) and newer, Debian 9, Debian 10 & CentOS 8/RHEL 8.

 

How Harmful It Is

If the CAP_NET_RAW capability is disabled by default (which is the case with all RHEL products), then only a privileged user can trigger the bug. That’s why this vulnerability has a CVSS v3 Base Score of 6.7, and is rated as having a Moderate impact.

That is, it’s not easy to exploit, but could still lead to some compromise of the confidentiality, integrity or availability of resources under certain circumstances.

 

How To Mitigate CVE-2020-14386

You can use one of the following methods to mitigate the CVE-2020-14386 vulnerability:

  • Apply vendor's mitigation

For example, Redhat's mitigation is to disable CAP_NET_RAW capability for regular users and for executables, where applicable. 

Canonical Ubuntu's mitigation is to disable user_namespaces: 

sudo sysctl kernel.unprivileged_userns_clone=0

No reboot required for this method.

  • Update the kernel to the newest version once available.
    The simplest, but certainly not the easiest way to do this, is to reboot the server and update the kernel to the newest version.

  • Install security patches using live patching.
    With a live patching system, such as KernelCare, the necessary fix is applied without rebooting the server. With KernelCare in particular, the KernelCare team is now creating patches that will address this vulnerability. Patches for Ubuntu 18.04 and newer are expected this week, with RHEL and Debian patches following.

 

KernelCare Patch Release Schedule:

  • Ubuntu 18.04 and newer - Monday 14th 

KernelCare Patches Released:

  • Proxmox 5 & 6
  • Ubuntu 16.04 (Xenial Xerus)
  • Ubuntu 18.04 (Bionic Beaver)
  • Ubuntu 20.04 (Focal Fossa)

Keep an eye on this blog post and our Twitter and Facebook channels to be the first to know when the patches are added to the production feed.

 

Read more on how KernelCare address other critical vulnerabilities:

  1. Zombieload 2: KernelCare Team is on it!
  2. SWAPGS: KernelCare patches on the way
  3. SACK Panic & Slowness: KernelCare Live Patches Are Here
  4. RIDL – Another MDS Attack that Live Patching Would Have Saved You From
  5. Fallout – the MDS Side Channel Attack That Isn't Zombieload
  6. QEMU-KVM vhost/vhost_net Guest to Host Kernel Escape Vulnerability
  7. CVE–2018–1000199 patches
  8. Intel DDIO 'NetCat' Vulnerability

Topics: CVE

KernelCare Team

Written by KernelCare Team

    cover for blog

    Download Whitepaper

    Subscribe to Email Updates

    Recent Posts