A Linux kernel vulnerability was recently disclosed. The CVE ID of the vulnerability is CVE-2020-14386. This vulnerability results from a bug in the packet socket facility in the Linux kernel. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes, as stated by the vulnerability discoverer. The vulnerability may lead to unauthorized privilege escalation and container escapes, exhaust the memory of cluster nodes, and affect the applications that run on the nodes.

For more information about this vulnerability, see CVE-2020-14386.

Affected operating systems and kernel versions

The vulnerability affects multiple Linux distributions that have kernel versions later than 4.6. The affected Linux distributions include:
  • Ubuntu Bionic (18.04) and newer
  • Debian 9
  • Debian 10
  • CentOS 8/RHEL 8
The following list describes the impact of the vulnerability on an Alibaba Cloud Container Service for Kubernetes (ACK) cluster:
  • If your cluster nodes run the Alibaba Cloud Linux 2 operating system that has a kernel version of 4.19.91-19.1.al7, your cluster is affected by the vulnerability.
  • The kernel version of CentOS is 3.10.0-1062, which is lower than the affected kernel version. Therefore, cluster nodes that run the CentOS operating system are not affected.

Impacts

CVE-2020-14386 is a memory corruption vulnerability on the af_packet kernel module. The CAP_NET_RAW capability is required to exploit the vulnerability. Non-root users in Linux do not have this capability. However, in a Linux OS that has a kernel version later than 4.6, a non-root user can create a user namespace that has the CAP_NET_RAW capability. By default, Kubernetes and Docker containers have the CAP_NET_RAW capability. Therefore, attackers may exploit the CVE-2020-14386 vulnerability on nodes of ACK clusters if the Linux kernel version of nodes in the cluster is later than 4.6. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes. This may lead to unauthorized privilege escalation and container escapes.

Preventative measures

  • Disable CAP_NET_RAW in the securityContext field in the configuration file of the containerized application.
    spec:
      containers:
        -name: target-container
         ...
        securityContext:
          capabilities:
            drop:
              -NET_RAW
    The CAP_NET_RAW capability is required to exploit this vulnerability. The CAP_NET_RAW capability is not required to use most container services. You can configure a pod security policy (PSP) to ensure that the CAP_NET_RAW capability is disabled for a pod. The following content is a PSP template:
    Note You can enable the PSP feature, create a PSP, and attach the PSP to a pod in the ACK console. For more information, see Use PSPs.
    apiversion: extensions/v1beta1
    kind: PodSecurityPolicy
    metadata:
      name: no-cap-net-raw
    spec:
      requiredDropCapabilities:
        -NET_RAW
         ...
  • Install the gatekeeper add-on and the official constraint template for your cluster on the Components page. For more information, see Introduction and https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/capabilities. Then, create the following constraint to disable the CAP_NET_RAW capability of the container:
    # Dropping CAP_NET_RAW with Gatekeeper
     # (requires the K8sPSPCapabilities template)
     apiversion: constraints.gatekeeper.sh/v1beta1
     kind:  K8sPSPCapabilities
     metadata:
       name: no-cap-net-raw
     spec:
       match:
         kinds:
           - apiGroups: [""]
           kinds: ["Pod"]
         namespaces:
           #List of namespaces to enforce this constraint on
           - default
         # If running gatekeeper >= v3.1.0-beta.5,
         # you can exclude namespaces rather than including them above.
         excludedNamespaces:
           - kube-system
       parameters:
         requiredDropCapabilities:
           - "NET_RAW"
  • A bulletin about this vulnerability and an upgrade guide are released for Alibaba Cloud Linux 2. If your cluster nodes run Alibaba Cloud Linux 2, perform the following steps to upgrade the kernel version:
    1. Run the yum -y install kernel-4.19.91-21.2.al7 command to upgrade the kernel to a version that has this vulnerability fixed. Alternatively, run the yum -y update kernel command to upgrade the kernel to the latest version.
    2. Restart the system for the upgrade to take effect. If a node has a running service that is not deployed on other nodes, drain and restart the node during off-peak hours.
    3. For more information about how to fix the Alibaba Cloud Linux 2.1903 vulnerability, see Security Advisories.