On September 4, 2020, the CVE-2020-14386 Linux kernel vulnerability was published in the Linux community. The vulnerability is found in the net/packet/af_packet.c Linux kernel. Attackers can exploit the vulnerability to perform out-of-bounds writes, which can lead to risks such as unauthorized privilege escalation and container escapes.

Detected vulnerability

  • Vulnerability number: CVE-2020-14386
  • Vulnerability severity: high
  • Affected versions:
    • Linux distributions that have kernel versions later than 4.6
    • Affected ECS images:
      • Alibaba Cloud Linux 2.1903 (formerly Aliyun Linux 2.1903)
      • CentOS 8
      • Red Hat Enterprise Linux 8
      • Debian 9/10
      • OpenSUSE 15
      • SUSE Linux Enterprise Server 12/15
      • Ubuntu 18.04/20.04

Details

CVE-2020-14386 is a memory corruption vulnerability on the kernel module. In Linux operating systems that have a kernel version later than 4.6, non-root users as well as users of Kubernetes and Docker containers may trigger this vulnerability. Attackers can exploit the vulnerability to perform out-of-bounds writes, which can lead to unauthorized privilege escalation and container escapes.

Security suggestion

Install the patch for vulnerability CVE-2020-14386 at your earliest convenience.

Solution

  • Fix and upgrade the Alibaba Cloud Linux 2.1903 (formerly Aliyun Linux 2.1903) image.
    1. Upgrade the kernel version by using one of the following methods:
      • Run the following command to upgrade the kernel to a version that has this vulnerability fixed:
        yum -y install kernel-4.19.91-21.2.al7
      • Run the following command to upgrade the kernel to the latest version:
        yum -y update kernel
    2. Run the following command to restart the system:
      reboot
    Note For security upgrades for Alibaba Cloud Linux 2.1903, see Alibaba Cloud Linux 2.1903 Security Advisories.
  • For more information about how to upgrade SUSE Linux Enterprise Server, Ubuntu, and Debian images, visit CVE-2020-14386, USN-4489-1: Linux kernel vulnerability, and Security Tracker CVE-2020-14386.

Announcing party

Alibaba Cloud Computing Co., Ltd.