The Linux kernel was reported with out-of-bounds reads and writes vulnerability due to lack of calculation in register bounds of ePBF code. Using this vulnerability (CVE-2020-8835), a local authenticated user can exploit and expose sensitive information resulting in high data loss.
In ZDI’s Pwn2own competition, Manfred Paul demonstrated the flaw in the bpf verifier for 32-bit operations.
Description
In the affected Linux kernel versions mentioned below, the bpf verifier (kernel/bpf/verifier.c) leads to out-of-bounds reads and writes vulnerability in the kernel memory because of incorrect restrictions on the register bounds for 32-bit operations. Given that this vulnerability is a local privilege escalation only, attackers would need another vulnerability to exploit this. This reduces the criticality of the vulnerability.
This kernel bug was patched in the last week of March, 2020.
For more information, refer to the video in which ZDI has demonstrated this vulnerability.
What is eBPF?
“Extended Berkeley Packet Filters”, or eBPF is a general tracing feature supported in Linux kernel version 3.15 and later. It allows users to run eBPF programs directly in kernel space and can be used to trace certain kernel functionalities. This feature can also be used to filter network packets.
The Berkeley Packet Filter (BPF) was designed for operating systems to analyze network traffic by using certain programs. “In addition, if the driver for the network interface supports promiscuous mode, it allows the interface to be put into that mode so that all packets on the network can be received, even those destined to other hosts.”, suggests Wikipedia.
Affected Products
- Linux kernel 5.4
- Linux kernel 5.5
Mitigation
Patches for Ubuntu, Fedora and Debian are already available. In RHEL, normal users aren’t allowed to access the bpf syscall by default. However, for Fedora, it is recommended that users disable unprivileged access to the bpf syscall by setting the following sysctl variable:
###########################################################
Fedora
# sysctl -w kernel.unprivileged_bpf_disabled=1
Ubuntu
$ sudo sysctl kernel.unprivileged_bpf_disabled=1
$ echo kernel.unprivileged_bpf_disabled=1 | \ sudo tee /etc/sysctl.d/90-CVE-2020-8835.conf
###########################################################
Detection
Qualys customers can scan their network with QID(s) 351909, 279867, 158323, 279719, 279661 and 197831 to detect vulnerable Microsoft DNS assets. Please continue to follow Qualys Threat Protection for more coverage on latest vulnerabilities.
References and Sources:
- https://www.thezdi.com/blog/2020/4/8/cve-2020-8835-linux-kernel-privilege-escalation-via-improper-ebpf-program-verification
- https://usn.ubuntu.com/4313-1/
- https://security-tracker.debian.org/tracker/CVE-2020-8835
- https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
- pa**************@li***.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/”>https://lists.fedoraproject.org/archives/list/pa**************@li***.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/
- pa**************@li***.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/”>https://lists.fedoraproject.org/archives/list/pa**************@li***.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/
- https://nvd.nist.gov/vuln/detail/CVE-2020-8835#match-4783237
- 20***************************@io*******.net/T/”>https://lore.kernel.org/bpf/20***************************@io*******.net/T/
- https://en.wikipedia.org/wiki/Berkeley_Packet_Filter
- https://youtu.be/8rNsxbCgKzY