Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2020-27171

Опубликовано: 19 мар. 2021
Источник: redhat
CVSS3: 6
EPSS Низкий

Описание

An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.

A flaw was found in the Linux kernels eBPF verification code. By default accessing the eBPF verifier is only accessible to privileged users with CAP_SYS_ADMIN. A flaw that triggers Integer underflow when restricting speculative pointer arithmetic allows unprivileged local users to leak the content of kernel memory. The highest threat from this vulnerability is to data confidentiality.

Отчет

The default Red Hat Enterprise Linux kernel differs from the upstream, that prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl.
The setting of 1 would mean that unprivileged users can not use eBPF (which is a default setting), and this mitigating the flaw. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space, and may even cause a denial-of-service problem.

Меры по смягчению последствий

The default Red Hat Enterprise Linux kernel prevents unprivileged users from being able to use eBPF by the kernel.unprivileged_bpf_disabled sysctl. This would require a privileged user with CAP_SYS_ADMIN or root to be able to abuse this flaw reducing its attack space. For the Red Hat Enterprise Linux 7 the eBPF for unprivileged users is always disabled. For the Red Hat Enterprise Linux 8 to confirm the current state, inspect the sysctl with the command:

cat /proc/sys/kernel/unprivileged_bpf_disabled

The setting of 1 would mean that unprivileged users can not use eBPF, mitigating the flaw.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6kernelNot affected
Red Hat Enterprise Linux 7kernelAffected
Red Hat Enterprise Linux 7kernel-altNot affected
Red Hat Enterprise Linux 7kernel-rtAffected
Red Hat Enterprise Linux 8kernelAffected
Red Hat Enterprise Linux 8kernel-rtAffected
Red Hat Enterprise Linux 9kernelNot affected

Показывать по

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-191
https://bugzilla.redhat.com/show_bug.cgi?id=1940623kernel: Integer underflow when restricting speculative pointer arithmetic

EPSS

Процентиль: 38%
0.00162
Низкий

6 Medium

CVSS3

Связанные уязвимости

CVSS3: 6
ubuntu
больше 4 лет назад

An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.

CVSS3: 6
nvd
больше 4 лет назад

An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.

CVSS3: 6
msrc
больше 4 лет назад

Описание отсутствует

CVSS3: 6
debian
больше 4 лет назад

An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/ ...

CVSS3: 6
github
около 3 лет назад

An issue was discovered in the Linux kernel before 5.11.8. kernel/bpf/verifier.c has an off-by-one error (with a resultant integer underflow) affecting out-of-bounds speculation on pointer arithmetic, leading to side-channel attacks that defeat Spectre mitigations and obtain sensitive information from kernel memory, aka CID-10d2bb2e6b1d.

EPSS

Процентиль: 38%
0.00162
Низкий

6 Medium

CVSS3