Have Linux? You’d Better Check for CVE-2020–14386

Have Linux? You’d Better Check for CVE-2020–14386

Do you remember Heartbleed? Well, that got a CVSS (Common Vulnerability Scoring System) score of 7.5. Poodle scored 3.1. Shellshock gained an almost perfect score of 9.8. And so a new one vulnerability in the Linux kernel (CVE-2020–14386) gets a score of 7.2, and which puts it on a par with Heartbleed.

Our digital world is increasingly driven by the Linux kernel. Many of the services that you connect to and the devices in your home are now Linux based. But today, a major new vulnerability has been found, and which is rated at the high level possible for its criticality:

“A flaw was found in the Linux kernel before 5.9-rc4. Memory corruption can be exploited to gain root privileges from unprivileged processes. The highest threat from this vulnerability is to data confidentiality and integrity.”

It was found by Or Cohen from Paloalto Networks, and who discovered that it was discovered that an unprivileged user could escalate rights to the root user. It builds on his work around finding vulnerabilities in packet sockets ( CVE-2017–7308 and CVE-2016–8655). Overall there is an incorrect offset calculation related to the tpacket_recv function, and where the exploit then requires the CAP_NET_RAW capability.

The affected distributions are:

• Ubuntu Bionic (18.04) and newer.
• Debian 9.
• Debian 10.
• CentOS 8/RHEL 8.

The mitigation is to patch the system and to disable CAP_NET_RAW (and which is already disabled in Red Hat)