All Products
Search
Document Center

Container Service for Kubernetes:Vulnerability updates: CVE-2020-14386

Last Updated:May 18, 2023

A Linux kernel vulnerability was recently discovered. The CVE ID of the vulnerability is CVE-2020-14386. This vulnerability results from a bug in the packet socket facility in the Linux kernel. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes, as stated by the vulnerability discoverer. The vulnerability may lead to unauthorized privilege escalation and container escapes, exhaust the memory of cluster nodes, and affect the applications that run on the nodes.

For more information about this vulnerability, see CVE-2020-14386.

Affected operating systems and kernel versions

The vulnerability affects multiple Linux distributions that have kernel versions later than 4.6. The affected Linux distributions include:

  • Ubuntu Bionic (18.04) and later

  • Debian 9

  • Debian 10

  • CentOS 8 and RHEL 8

The following list describes the impact of the vulnerability on an Alibaba Cloud Container Service for Kubernetes (ACK) cluster:

  • If your cluster nodes run the Alibaba Cloud Linux 2 operating system that has a kernel version of 4.19.91-19.1.al7, your cluster is affected by the vulnerability.

  • If your cluster nodes run the CentOS operating system that has a kernel version of 3.10.0-1062, which is earlier than the affected kernel version, your cluster is not affected by the vulnerability.

Impacts

CVE-2020-14386 is a memory corruption vulnerability in the af_packet kernel module. The CAP_NET_RAW capability is required to exploit the vulnerability. Non-root users in Linux do not have this capability. However, in a Linux OS that has a kernel version later than 4.6, a non-root user can create a user namespace that has the CAP_NET_RAW capability. By default, Kubernetes and Docker containers have the CAP_NET_RAW capability. Therefore, attackers may exploit the CVE-2020-14386 vulnerability on nodes of ACK clusters if the Linux kernel version of nodes in the cluster is later than 4.6. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes. This may lead to unauthorized privilege escalation and container escapes. For the release notes of Alibaba Cloud Linux 2 images, see Vulnerability announcement | Linux kernel vulnerability (CVE-2020-14386). For more information about how to fix the Alibaba Cloud Linux 2.1903 vulnerability, see Security Advisories.

Fixes

  • Disable CAP_NET_RAW in the securityContext field in the configuration file of the containerized application.

    spec:
      containers:
        -name: target-container
         ...
        securityContext:
          capabilities:
            drop:
              -NET_RAW

    The CAP_NET_RAW capability is required to exploit this vulnerability. The CAP_NET_RAW capability is not required by most container services. You can configure a pod security policy (PSP) to ensure that the CAP_NET_RAW capability is disabled for a pod. The following content is a PSP template:

    Note

    You can enable the PSP feature, create a PSP, and attach the PSP to a pod in the ACK console.

    apiversion: policy/v1beta1
    kind: PodSecurityPolicy
    metadata:
      name: no-cap-net-raw
    spec:
      requiredDropCapabilities:
        -NET_RAW
         ...
  • Install the gatekeeper add-on and the official constraint template for your cluster on the Components page. For more information, see gatekeeper and https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/capabilities. Then, create the following constraint to disable the CAP_NET_RAW capability of the container:

    # Dropping CAP_NET_RAW with Gatekeeper
     # (requires the K8sPSPCapabilities template)
     apiversion: constraints.gatekeeper.sh/v1beta1
     kind:  K8sPSPCapabilities
     metadata:
       name: no-cap-net-raw
     spec:
       match:
         kinds:
           - apiGroups: [""]
           kinds: ["Pod"]
         namespaces:
           #List of namespaces to enforce this constraint on
           - default
         # If running gatekeeper >= v3.1.0-beta.5,
         # you can exclude namespaces rather than including them above.
         excludedNamespaces:
           - kube-system
       parameters:
         requiredDropCapabilities:
           - "NET_RAW"
  • A bulletin about this vulnerability and an upgrade guide are released for Alibaba Cloud Linux 2. If your cluster nodes run Alibaba Cloud Linux 2, perform the following steps to upgrade the kernel version:

    1. Run the yum -y install kernel-4.19.91-21.2.al7 command to upgrade the kernel to a version that has this vulnerability fixed. Alternatively, run the yum -y update kernel command to upgrade the kernel to the latest version.

    2. Restart the system for the upgrade to take effect. If a node has a running service that is not deployed on other nodes, drain and restart the node during off-peak hours.

    3. For more information about how to fix the Alibaba Cloud Linux 2.1903 vulnerability, see Security Advisories.