CVE-2020-14386

Отчет

Only local users with CAP_NET_RAW capability enabled can trigger this issue. For OpenShift Container Platform 4, pods in the default restricted SCC are granted CAP_NET_RAW by default. An attacker can exploit this if they can run arbitrary container images on the target cluster.

Меры по смягчению последствий

If the CAP_NET_RAW capability disabled by default (which is true for Red Hat Enterprise Linux), then only a privileged user can trigger this bug. The mitigation is to disable CAP_NET_RAW capability for regular users and for executables. On Red Hat Enterprise Linux 8 CAP_NET_RAW capability can be also gained by exploiting unprivileged user namespaces. The mitigation is to disable unprivileged user namespaces by setting user.max_user_namespaces to 0:

echo "user.max_user_namespaces=0" > /etc/sysctl.d/userns.conf

sysctl -p /etc/sysctl.d/userns.conf

OpenShift Container Platform 4.5 and 4.4 this can be mitigated by removing CAP_NET_RAW from the default cri-o capabilities provided to pods (NOTE: This may prevent ping from working in unprivileged pods. This fix has not been validated for OpenShift 4.3 or below):

Create this MachineConfig object via e.g. oc apply. More information about MachineConfig can be found here: https://github.com/openshift/machine-config-operator https://docs.openshift.com/container-platform/4.5/architecture/architecture-rhcos.html In order to monitor the rollout of this change, use oc describe machineconfigpool/worker. Check for any pods which start to crash after this is applied; they may need to be adjusted request CAP_NET_RAW explicitly. More information: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-capabilities-for-a-container https://docs.openshift.com/container-platform/4.5/authentication/managing-security-context-constraints.html