A Linux kernel vulnerability was recently disclosed. The CVE ID of the vulnerability is CVE-2020-14386. This vulnerability results from a bug in the packet socket facility in the Linux kernel. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes, as stated by the vulnerability discoverer. The vulnerability may lead to unauthorized privilege escalation and container escapes, exhaust the memory of cluster nodes, and affect the applications that run on the nodes.
For more information about this vulnerability, see CVE-2020-14386.
Affected operating systems and kernel versions
- Ubuntu Bionic (18.04) and newer
- Debian 9
- Debian 10
- CentOS 8/RHEL 8
- If your cluster nodes run the Alibaba Cloud Linux 2 operating system that has a kernel version of 4.19.91-19.1.al7, your cluster is affected by the vulnerability.
- The kernel version of CentOS is 3.10.0-1062, which is lower than the affected kernel version. Therefore, cluster nodes that run the CentOS operating system are not affected.
Impacts
CVE-2020-14386 is a memory corruption vulnerability on the af_packet kernel module. The CAP_NET_RAW capability is required to exploit the vulnerability. Non-root users in Linux do not have this capability. However, in a Linux OS that has a kernel version later than 4.6, a non-root user can create a user namespace that has the CAP_NET_RAW capability. By default, Kubernetes and Docker containers have the CAP_NET_RAW capability. Therefore, attackers may exploit the CVE-2020-14386 vulnerability on nodes of ACK clusters if the Linux kernel version of nodes in the cluster is later than 4.6. Attackers can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes. This may lead to unauthorized privilege escalation and container escapes.
Preventative measures
- Disable CAP_NET_RAW in the securityContext field in the configuration file of the
containerized application.
spec: containers: -name: target-container ... securityContext: capabilities: drop: -NET_RAW
The CAP_NET_RAW capability is required to exploit this vulnerability. The CAP_NET_RAW capability is not required to use most container services. You can configure a pod security policy (PSP) to ensure that the CAP_NET_RAW capability is disabled for a pod. The following content is a PSP template:Note You can enable the PSP feature, create a PSP, and attach the PSP to a pod in the ACK console. For more information, see Use PSPs.apiversion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: no-cap-net-raw spec: requiredDropCapabilities: -NET_RAW ...
- Install the gatekeeper add-on and the official constraint template for your cluster
on the Components page. For more information, see Introduction and https://github.com/open-policy-agent/gatekeeper-library/tree/master/library/pod-security-policy/capabilities. Then, create the following constraint to disable the CAP_NET_RAW capability of the
container:
# Dropping CAP_NET_RAW with Gatekeeper # (requires the K8sPSPCapabilities template) apiversion: constraints.gatekeeper.sh/v1beta1 kind: K8sPSPCapabilities metadata: name: no-cap-net-raw spec: match: kinds: - apiGroups: [""] kinds: ["Pod"] namespaces: #List of namespaces to enforce this constraint on - default # If running gatekeeper >= v3.1.0-beta.5, # you can exclude namespaces rather than including them above. excludedNamespaces: - kube-system parameters: requiredDropCapabilities: - "NET_RAW"
- A bulletin about this vulnerability and an upgrade guide are released for Alibaba
Cloud Linux 2. If your cluster nodes run Alibaba Cloud Linux 2, perform the following
steps to upgrade the kernel version:
- Run the
yum -y install kernel-4.19.91-21.2.al7
command to upgrade the kernel to a version that has this vulnerability fixed. Alternatively, run theyum -y update kernel
command to upgrade the kernel to the latest version. - Restart the system for the upgrade to take effect. If a node has a running service that is not deployed on other nodes, drain and restart the node during off-peak hours.
- For more information about how to fix the Alibaba Cloud Linux 2.1903 vulnerability, see Security Advisories.
- Run the