A Linux kernel vulnerability was recently discovered. The CVE ID of the vulnerability is CVE-2020-14386. This vulnerability results from a bug in the packet socket facility in the Linux kernel. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes, as stated by the vulnerability discoverer. The vulnerability may lead to unauthorized privilege escalation and container escapes, exhaust the memory of cluster nodes, and affect the applications that run on the nodes.
For more information about this vulnerability, see CVE-2020-14386.
Affected operating systems and kernel versions
- Ubuntu Bionic (18.04) and later
- Debian 9
- Debian 10
- CentOS 8 and RHEL 8
- If your cluster nodes run the Alibaba Cloud Linux 2 operating system that has a kernel version of 4.19.91-19.1.al7, your cluster is affected by the vulnerability.
- If your cluster nodes run the CentOS operating system that has a kernel version of 3.10.0-1062, which is earlier than the affected kernel version, your cluster is not affected by the vulnerability.
CVE-2020-14386 is a memory corruption vulnerability in the af_packet kernel module. The CAP_NET_RAW capability is required to exploit the vulnerability. Non-root users in Linux do not have this capability. However, in a Linux OS that has a kernel version later than 4.6, a non-root user can create a user namespace that has the CAP_NET_RAW capability. By default, Kubernetes and Docker containers have the CAP_NET_RAW capability. Therefore, attackers may exploit the CVE-2020-14386 vulnerability on nodes of ACK clusters if the Linux kernel version of nodes in the cluster is later than 4.6. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes. This may lead to unauthorized privilege escalation and container escapes. For the release notes of Alibaba Cloud Linux 2 images, see Vulnerability announcement | Linux kernel vulnerability (CVE-2020-14386). For more information about how to fix the Alibaba Cloud Linux 2.1903 vulnerability, see Security Advisories.
- Disable CAP_NET_RAW in the securityContext field in the configuration file of the
spec: containers: -name: target-container ... securityContext: capabilities: drop: -NET_RAWThe CAP_NET_RAW capability is required to exploit this vulnerability. The CAP_NET_RAW capability is not required by most container services. You can configure a pod security policy (PSP) to ensure that the CAP_NET_RAW capability is disabled for a pod. The following content is a PSP template:Note You can enable the PSP feature, create a PSP, and attach the PSP to a pod in the ACK console. For more information, see Use a PSP.
apiversion: policy/v1beta1 kind: PodSecurityPolicy metadata: name: no-cap-net-raw spec: requiredDropCapabilities: -NET_RAW ...
- Install the gatekeeper add-on and the official constraint template for your cluster
on the Components page. For more information, see gatekeeper and https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/capabilities. Then, create the following constraint to disable the CAP_NET_RAW capability of the
# Dropping CAP_NET_RAW with Gatekeeper # (requires the K8sPSPCapabilities template) apiversion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: no-cap-net-raw spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: #List of namespaces to enforce this constraint on - default # If running gatekeeper >= v3.1.0-beta.5, # you can exclude namespaces rather than including them above. excludedNamespaces: - kube-system parameters: requiredDropCapabilities: - "NET_RAW"
- A bulletin about this vulnerability and an upgrade guide are released for Alibaba
Cloud Linux 2. If your cluster nodes run Alibaba Cloud Linux 2, perform the following
steps to upgrade the kernel version:
- Run the
yum -y install kernel-4.19.91-21.2.al7command to upgrade the kernel to a version that has this vulnerability fixed. Alternatively, run the
yum -y update kernelcommand to upgrade the kernel to the latest version.
- Restart the system for the upgrade to take effect. If a node has a running service that is not deployed on other nodes, drain and restart the node during off-peak hours.
- For more information about how to fix the Alibaba Cloud Linux 2.1903 vulnerability, see Security Advisories.
- Run the