Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to fix the Linux kernel privilege upgrade vulnerability". In the daily operation, I believe that many people have doubts about how to repair the Linux kernel privilege upgrade vulnerability. The editor consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the doubt of "how to fix the Linux kernel privilege upgrade vulnerability". Next, please follow the editor to study!

Brief introduction of 0x01 vulnerability

On September 23, 2020, 360CERT Monitoring found that the openwall email Group issued a risk notice for the linux-kernel privilege escalation vulnerability, the vulnerability number is CVE-2020-14386, vulnerability level: high risk, vulnerability score: 7.8.

A local attacker can cause privilege escalation by sending specially crafted request content to the affected host.

Because the vulnerability exists in the kernel, successful exploitation of the vulnerability will directly obtain the highest privileges of the system.

Products that currently use the kernel for virtualization, such as openshift/docker/kubernetes, are also affected by this vulnerability under the wrong configuration strategy, and may cause virtual environments to escape.

In this regard, 360CERT recommends that the majority of users upgrade linux-kernel to the latest version in time. At the same time, please do a good job of asset self-examination and prevention to avoid hacker attacks.

0x02 risk rating

360CERT's assessment of the vulnerability is as follows

Assessment methods, threat levels, high risk impact surfaces, general 360CERT scores, 7.80x03 vulnerability details CVE-2020-14386: privilege escalation vulnerabilities

The source code net/packet/af_packet.c of kernel versions with Linux distributions higher than 4.6 contains an integer overflow vulnerability when processing AF_PACKET.

The trigger of this vulnerability requires a local low-privilege user / executable file to enable the CAP_NET_RAW function

0x04 affects version

-centos:centos: 8

-debain:debain_linux: 9Universe 10

-ubuntu:ubuntu_linux: > 18.04

0x05 repair recommendation General repair recommendation

1. You can apply the following kernel patch acf69c946233259ab4d64f8869d4037a198c7f06 for commit

CVE-2020-14386 linux-kernel-git-patch

Https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=acf69c946233259ab4d64f8869d4037a198c7f06

two。 Turn off the CAP_NET_RAW function as recommended by RedHat

For a single executable program

# View the cap permissions of the program

Getcap / bin/ping

/ bin/ping cap_net_raw=ep

# remove cap_net_raw permission

Setcap cap_net_raw-ep / bin/ping

# check

Getcap / bin/ping

/ bin/ping =

At the same time, RedHat points out that on RedHat Enterprise Linux 8, CAP_NET_RAW functionality can also be obtained by making use of unprivileged user namespaces.

It can be alleviated by the following measures

Echo "user.max_user_namespaces=0" > / etc/sysctl.d/userns.conf

Sysctl-p / etc/sysctl.d/userns.conf

0x06 product side solution 360security analysis response platform

The security analysis and response platform of the security brain detects and blocks the exploitation of such vulnerabilities in real time by means of network traffic detection and multi-sensor data fusion association analysis, and asks the user to contact the person in charge of the relevant product area or (shaoyulong#360.cn) to obtain the corresponding product.

At this point, the study on "how to fix the Linux kernel privilege escalation vulnerability" is over. I hope to be able to solve everyone's doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.