Security Bulletin
Summary
Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported vulnerability.
Vulnerability Details
CVEID: CVE-2020-14351
DESCRIPTION: Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free memory flaw in the implementation of performance counters. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and execute code in the context of the kernel..
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192489 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
| IBM Netezza Host Management | All IBM Netezza Host Management versions |
Remediation/Fixes
None
Workarounds and Mitigations
While there is no way to disable the perf subsystem on Linux systems, reducing or removing users access to the perf events can effectively mitigate this flaw
Mitigation of the reported CVE : CVE-2020-14351 on PureData System for Analytics N200x and N3001 is as follows:
Execute below steps using "root" user on both ha1/ha2 hosts
Step 1: Create perf_users group of privileged Perf users.
groupadd perf_users
Example:
[root@nzhost1 ~]# groupadd perf_users
Step 2: Add all the authorized users who are allowed to monitor perf events to the perf_users group.
usermod -a -G perf_users user_name
Example:
[root@nzhost1 ~]# usermod -a -G perf_users nz
Step 3: Assign perf_users group to Perf tool executable and limit access to the executable for other users in the system who are not in the perf_users group
cd /usr/bin/
ls -alhF perf
chgrp perf_users perf
chmod o-rwx perf
ls -alhF perf
Example:
[root@nzhost1 ~]# cd /usr/bin/
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chgrp perf_users perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chmod o-rwx perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-x--- 1 root perf_users 2.2M Sep 16 07:07 perf*
Step 4: Assign the required capabilities (capsh –print : prints available linux capabilities) to the Perf tool executable file and enable members of perf_users group with monitoring and observability privileges.
setcap "38,cap_ipc_lock,cap_sys_ptrace=ep" perf
setcap -v "38,cap_ipc_lock,cap_sys_ptrace=ep" perf
getcap perf
Example:
[root@nzhost1 bin]# setcap "38,cap_ipc_lock,cap_sys_ptrace=ep" perf
[root@nzhost1 bin]# setcap -v "38,cap_ipc_lock,cap_sys_ptrace=ep" perf
perf: OK
[root@nzhost1 bin]# getcap perf
perf = cap_ipc_lock,cap_sys_ptrace,38+ep
Get Notified about Future Security Bulletins
References
Change History
08 Mar 2021: Original Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
08 March 2021
UID
ibm16426829