On September 4, 2020, the CVE-2020-14386 Linux kernel vulnerability was published in the Linux community. The vulnerability is found in the net/packet/af_packet.c Linux kernel. Attackers can exploit the vulnerability to perform out-of-bounds writes, which can lead to risks such as unauthorized privilege escalation and container escapes.
Detected vulnerability
- Vulnerability number: CVE-2020-14386
- Vulnerability severity: high
- Affected versions:
- Linux distributions that have kernel versions later than 4.6
- Affected ECS images:
- Alibaba Cloud Linux 2.1903 (formerly Aliyun Linux 2.1903)
- CentOS 8
- Red Hat Enterprise Linux 8
- Debian 9/10
- OpenSUSE 15
- SUSE Linux Enterprise Server 12/15
- Ubuntu 18.04/20.04
Details
CVE-2020-14386 is a memory corruption vulnerability on the kernel module. In Linux operating systems that have a kernel version later than 4.6, non-root users as well as users of Kubernetes and Docker containers may trigger this vulnerability. Attackers can exploit the vulnerability to perform out-of-bounds writes, which can lead to unauthorized privilege escalation and container escapes.
Security suggestion
Install the patch for vulnerability CVE-2020-14386 at your earliest convenience.
Solution
- Fix and upgrade the Alibaba Cloud Linux 2.1903 (formerly Aliyun Linux 2.1903) image.
- Upgrade the kernel version by using one of the following methods:
- Run the following command to upgrade the kernel to a version that has this vulnerability
fixed:
yum -y install kernel-4.19.91-21.2.al7
- Run the following command to upgrade the kernel to the latest version:
yum -y update kernel
- Run the following command to upgrade the kernel to a version that has this vulnerability
fixed:
- Run the following command to restart the system:
reboot
Note For security upgrades for Alibaba Cloud Linux 2.1903, see Alibaba Cloud Linux 2.1903 Security Advisories. - Upgrade the kernel version by using one of the following methods:
- For more information about how to upgrade SUSE Linux Enterprise Server, Ubuntu, and Debian images, visit CVE-2020-14386, USN-4489-1: Linux kernel vulnerability, and Security Tracker CVE-2020-14386.
Announcing party
Alibaba Cloud Computing Co., Ltd.