certfr_avis - CERTFR-2020-AVI-178

CERTFR-2020-AVI-178

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte dans le noyau Linux de Ubuntu . Elle permet à un attaquant de provoquer une atteinte à la confidentialité des données et une élévation de privilèges.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

	Vendor	Product	Description
	Ubuntu	Ubuntu	Ubuntu 19.10
	Ubuntu	Ubuntu	Ubuntu 18.04 LTS

References

Title

Publication Time

CVE-2020-8835 (GCVE-0-2020-8835)

Vulnerability from cvelistv5 – Published: 2020-04-02 18:00 – Updated: 2024-09-17 02:15

Summary

In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE

Assigner

canonical

References

URL

Tags

	https://usn.ubuntu.com/4313-1/	vendor-advisoryx_refsource_UBUNTU
	https://www.thezdi.com/blog/2020/3/19/pwn2own-202…	x_refsource_MISC
	https://lore.kernel.org/bpf/20200330160324.15259-…	x_refsource_MISC
	https://www.openwall.com/lists/oss-security/2020/…	x_refsource_MISC
	https://usn.ubuntu.com/usn/usn-4313-1	x_refsource_MISC
	https://git.kernel.org/pub/scm/linux/kernel/git/n…	x_refsource_MISC
	https://git.kernel.org/pub/scm/linux/kernel/git/t…	x_refsource_MISC
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisoryx_refsource_FEDORA
	https://security.netapp.com/advisory/ntap-2020043…	x_refsource_CONFIRM
	http://www.openwall.com/lists/oss-security/2021/07/20/1	mailing-listx_refsource_MLIST

Impacted products

	Vendor	Product	Version
	Linux kernel	Linux kernel	Affected: 5.6-stable , < 5.6.1 (custom) Affected: 5.5-stable , < 5.5.14 (custom) Affected: 5.4.7 , < 5.4-stable* (custom)

Credits

Manfred Paul Anatoly Trosinenko

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T10:12:10.621Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "USN-4313-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/4313-1/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.openwall.com/lists/oss-security/2020/03/30/3"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://usn.ubuntu.com/usn/usn-4313-1"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef"
          },
          {
            "name": "FEDORA-2020-4ef0bcc89c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/"
          },
          {
            "name": "FEDORA-2020-666f3b1ac3",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/"
          },
          {
            "name": "FEDORA-2020-73c00eda1c",
            "tags": [
              "vendor-advisory",
              "x_refsource_FEDORA",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://security.netapp.com/advisory/ntap-20200430-0004/"
          },
          {
            "name": "[oss-security] 20210720 CVE-2021-33909: size_t-to-int vulnerability in Linux\u0027s filesystem layer",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2021/07/20/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Linux kernel",
          "vendor": "Linux kernel",
          "versions": [
            {
              "lessThan": "5.6.1",
              "status": "affected",
              "version": "5.6-stable",
              "versionType": "custom"
            },
            {
              "lessThan": "5.5.14",
              "status": "affected",
              "version": "5.5-stable",
              "versionType": "custom"
            },
            {
              "changes": [
                {
                  "at": "5.4.29",
                  "status": "unaffected"
                }
              ],
              "lessThan": "5.4-stable*",
              "status": "affected",
              "version": "5.4.7",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Manfred Paul"
        },
        {
          "lang": "en",
          "value": "Anatoly Trosinenko"
        }
      ],
      "datePublic": "2020-03-30T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)"
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-07-20T14:06:18",
        "orgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
        "shortName": "canonical"
      },
      "references": [
        {
          "name": "USN-4313-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "https://usn.ubuntu.com/4313-1/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.openwall.com/lists/oss-security/2020/03/30/3"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://usn.ubuntu.com/usn/usn-4313-1"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef"
        },
        {
          "name": "FEDORA-2020-4ef0bcc89c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/"
        },
        {
          "name": "FEDORA-2020-666f3b1ac3",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/"
        },
        {
          "name": "FEDORA-2020-73c00eda1c",
          "tags": [
            "vendor-advisory",
            "x_refsource_FEDORA"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://security.netapp.com/advisory/ntap-20200430-0004/"
        },
        {
          "name": "[oss-security] 20210720 CVE-2021-33909: size_t-to-int vulnerability in Linux\u0027s filesystem layer",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2021/07/20/1"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Revert commit 581738a681b6 (\"bpf: Provide better register bounds after jmp32 instructions\")."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Linux kernel bpf verifier vulnerability",
      "workarounds": [
        {
          "lang": "en",
          "value": "Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1:\n\n   $ sudo sysctl kernel.unprivileged_bpf_disabled=1\n   $ echo kernel.unprivileged_bpf_disabled=1 |  sudo tee /etc/sysctl.d/90-CVE-2020-8835.conf\n\nThis issue is also mitigated on systems that use secure boot with the kernel lockdown feature which blocks BPF program loading."
        }
      ],
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "security@ubuntu.com",
          "DATE_PUBLIC": "2020-03-30T16:00:00.000Z",
          "ID": "CVE-2020-8835",
          "STATE": "PUBLIC",
          "TITLE": "Linux kernel bpf verifier vulnerability"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Linux kernel",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.6-stable",
                            "version_value": "5.6.1"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.5-stable",
                            "version_value": "5.5.14"
                          },
                          {
                            "version_affected": "\u003e=",
                            "version_name": "5.4-stable",
                            "version_value": "5.4.7"
                          },
                          {
                            "version_affected": "\u003c",
                            "version_name": "5.4-stable",
                            "version_value": "5.4.29"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Linux kernel"
              }
            ]
          }
        },
        "credit": [
          {
            "lang": "eng",
            "value": "Manfred Paul"
          },
          {
            "lang": "eng",
            "value": "Anatoly Trosinenko"
          }
        ],
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)"
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "USN-4313-1",
              "refsource": "UBUNTU",
              "url": "https://usn.ubuntu.com/4313-1/"
            },
            {
              "name": "https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results",
              "refsource": "MISC",
              "url": "https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results"
            },
            {
              "name": "https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/",
              "refsource": "MISC",
              "url": "https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/"
            },
            {
              "name": "https://www.openwall.com/lists/oss-security/2020/03/30/3",
              "refsource": "MISC",
              "url": "https://www.openwall.com/lists/oss-security/2020/03/30/3"
            },
            {
              "name": "https://usn.ubuntu.com/usn/usn-4313-1",
              "refsource": "MISC",
              "url": "https://usn.ubuntu.com/usn/usn-4313-1"
            },
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef"
            },
            {
              "name": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef",
              "refsource": "MISC",
              "url": "https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef"
            },
            {
              "name": "FEDORA-2020-4ef0bcc89c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/"
            },
            {
              "name": "FEDORA-2020-666f3b1ac3",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/"
            },
            {
              "name": "FEDORA-2020-73c00eda1c",
              "refsource": "FEDORA",
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/"
            },
            {
              "name": "https://security.netapp.com/advisory/ntap-20200430-0004/",
              "refsource": "CONFIRM",
              "url": "https://security.netapp.com/advisory/ntap-20200430-0004/"
            },
            {
              "name": "[oss-security] 20210720 CVE-2021-33909: size_t-to-int vulnerability in Linux\u0027s filesystem layer",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2021/07/20/1"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Revert commit 581738a681b6 (\"bpf: Provide better register bounds after jmp32 instructions\")."
          }
        ],
        "source": {
          "discovery": "EXTERNAL"
        },
        "work_around": [
          {
            "lang": "en",
            "value": "Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1:\n\n   $ sudo sysctl kernel.unprivileged_bpf_disabled=1\n   $ echo kernel.unprivileged_bpf_disabled=1 |  sudo tee /etc/sysctl.d/90-CVE-2020-8835.conf\n\nThis issue is also mitigated on systems that use secure boot with the kernel lockdown feature which blocks BPF program loading."
          }
        ]
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cc1ad9ee-3454-478d-9317-d3e869d708bc",
    "assignerShortName": "canonical",
    "cveId": "CVE-2020-8835",
    "datePublished": "2020-04-02T18:00:23.885957Z",
    "dateReserved": "2020-02-10T00:00:00",
    "dateUpdated": "2024-09-17T02:15:48.820Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted