Vulnerability updates: CVE-2020-14386

For more information about this vulnerability, see CVE-2020-14386.

Affected operating systems and kernel versions

Impacts

CVE-2020-14386 is a memory corruption vulnerability in the af_packet kernel module. The CAP_NET_RAW capability is required to exploit the vulnerability. Non-root users in Linux do not have this capability. However, in a Linux OS that has a kernel version later than 4.6, a non-root user can create a user namespace that has the CAP_NET_RAW capability. By default, Kubernetes and Docker containers have the CAP_NET_RAW capability. Therefore, attackers may exploit the CVE-2020-14386 vulnerability on nodes of ACK clusters if the Linux kernel version of nodes in the cluster is later than 4.6. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes. This may lead to unauthorized privilege escalation and container escapes. For the release notes of Alibaba Cloud Linux 2 images, see Vulnerability announcement | Linux kernel vulnerability (CVE-2020-14386). For more information about how to fix the Alibaba Cloud Linux 2.1903 vulnerability, see Security Advisories.

Fixes

• Disable CAP_NET_RAW in the securityContext field in the configuration file of the containerized application.

  spec:
    containers:
      -name: target-container
       ...
      securityContext:
        capabilities:
          drop:
            -NET_RAW

  The CAP_NET_RAW capability is required to exploit this vulnerability. The CAP_NET_RAW capability is not required by most container services. You can configure a pod security policy (PSP) to ensure that the CAP_NET_RAW capability is disabled for a pod. The following content is a PSP template:

  Note You can enable the PSP feature, create a PSP, and attach the PSP to a pod in the ACK console. For more information, see Use a PSP.

  apiversion: extensions/v1beta1
  kind: PodSecurityPolicy
  metadata:
    name: no-cap-net-raw
  spec:
    requiredDropCapabilities:
      -NET_RAW
       ...

• Install the gatekeeper add-on and the official constraint template for your cluster on the Components page. For more information, see Introduction and https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/capabilities. Then, create the following constraint to disable the CAP_NET_RAW capability of the container:

  # Dropping CAP_NET_RAW with Gatekeeper
   # (requires the K8sPSPCapabilities template)
   apiversion: constraints.gatekeeper.sh/v1beta1
   kind:  K8sPSPCapabilities
   metadata:
     name: no-cap-net-raw
   spec:
     match:
       kinds:
         - apiGroups: [""]
         kinds: ["Pod"]
       namespaces:
         #List of namespaces to enforce this constraint on
         - default
       # If running gatekeeper >= v3.1.0-beta.5,
       # you can exclude namespaces rather than including them above.
       excludedNamespaces:
         - kube-system
     parameters:
       requiredDropCapabilities:
         - "NET_RAW"

• A bulletin about this vulnerability and an upgrade guide are released for Alibaba Cloud Linux 2. If your cluster nodes run Alibaba Cloud Linux 2, perform the following steps to upgrade the kernel version:
  1. Run the yum -y install kernel-4.19.91-21.2.al7 command to upgrade the kernel to a version that has this vulnerability fixed. Alternatively, run the yum -y update kernel command to upgrade the kernel to the latest version.
  2. Restart the system for the upgrade to take effect. If a node has a running service that is not deployed on other nodes, drain and restart the node during off-peak hours.
  3. For more information about how to fix the Alibaba Cloud Linux 2.1903 vulnerability, see Security Advisories.