CVE-2020-14386 is a memory corruption vulnerability in the Linux kernel packet socket facility (af_packet module). An attacker can exploit this vulnerability to perform an out-of-bounds write of up to 10 bytes, leading to privilege escalation, container escapes, node memory exhaustion, and disruption to workloads on affected nodes.
For the original disclosure, see CVE-2020-14386.
Affected versions
The vulnerability affects Linux distributions with kernel versions later than 4.6, including:
Ubuntu Bionic (18.04) and later
Debian 9
Debian 10
CentOS 8 and RHEL 8
Container Service for Kubernetes (ACK) cluster impact
| Node operating system | Kernel version | Status |
|---|---|---|
| Alibaba Cloud Linux 2 | 4.19.91-19.1.al7 | Affected |
| CentOS | 3.10.0-1062 | Not affected (kernel version predates the vulnerability) |
How this vulnerability affects ACK clusters
Exploiting CVE-2020-14386 requires the CAP_NET_RAW Linux capability. Non-root Linux users do not have this capability by default. However, on kernels later than 4.6, a non-root user can create a user namespace with CAP_NET_RAW.
Because Kubernetes and Docker containers have CAP_NET_RAW enabled by default, an attacker who can run code inside a container on an affected node can exploit the vulnerability to perform an out-of-bounds write of up to 10 bytes. This can lead to privilege escalation and container escapes.
For the Alibaba Cloud Linux 2 vulnerability announcement, see Vulnerability announcement | Linux kernel vulnerability (CVE-2020-14386).
Remediation
Apply one or more of the following fixes based on your environment. The options are listed from quickest to most comprehensive.
Fix 1: Drop CAP_NET_RAW in the container security context
Drop the NET_RAW capability in the securityContext field of your container spec. Most containerized applications do not need CAP_NET_RAW.
spec:
containers:
- name: target-container
...
securityContext:
capabilities:
drop:
- NET_RAWDropping NET_RAW disables raw socket operations inside the container. Tools that rely on raw sockets, such as ping, stop working in affected containers.
Fix 2: Enforce through a pod security policy
Configure a pod security policy (PSP) to drop CAP_NET_RAW across all pods in the cluster. Enable the PSP feature, create a PSP, and attach it to pods in the ACK console.
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: no-cap-net-raw
spec:
requiredDropCapabilities:
- NET_RAW
...Fix 3: Enforce through Gatekeeper
Install the gatekeeper add-on and the official constraint template on the Components page in the ACK console. For more information, see gatekeeper and the K8sPSPCapabilities template.
Create the following constraint to drop CAP_NET_RAW:
# Drop CAP_NET_RAW with Gatekeeper
# Requires the K8sPSPCapabilities template.
apiVersion: constraints.gatekeeper.sh/v1beta1
kind: K8sPSPCapabilities
metadata:
name: no-cap-net-raw
spec:
match:
kinds:
- apiGroups: [""]
kinds: ["Pod"]
namespaces:
# List of namespaces to enforce this constraint on
- default
# If running gatekeeper >= v3.1.0-beta.5,
# you can exclude namespaces rather than including them above.
excludedNamespaces:
- kube-system
parameters:
requiredDropCapabilities:
- "NET_RAW"Fix 4: Upgrade the kernel (Alibaba Cloud Linux 2)
If your cluster nodes run Alibaba Cloud Linux 2, upgrade the kernel to a version that includes the fix:
Run one of the following commands to upgrade the kernel:
Install the specific fixed version:
yum -y install kernel-4.19.91-21.2.al7Or update to the latest kernel version:
yum -y update kernel
Restart the node for the upgrade to take effect. If the node runs workloads that are not scheduled on other nodes, drain the node and restart it during off-peak hours.
For detailed fix information, see the Alibaba Cloud Linux 2 security advisories.