IBMD93D4935148F7F3B13EA6EFB252FC805F8785D44154C48C5441B79CADDEC8988Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P
Summary
Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported vulnerability.
Vulnerability Details
CVEID:CVE-2020-14351
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free memory flaw in the implementation of performance counters. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and execute code in the context of the kernelβ¦
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192489 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Products and Versions
| Affected Product(s) | Version(s) |
|---|---|
| IBM Netezza Host Management | All IBM Netezza Host Management versions |
Remediation/Fixes
None
Workarounds and Mitigations
While there is no way to disable the perf subsystem on Linux systems, reducing or removing users access to the perf events can effectively mitigate this flaw
Mitigation of the reported CVE : CVE-2020-14351 on PureData System for Analytics N200x and N3001 is as follows:
Execute below steps using βrootβ user on both ha1/ha2 hosts
Step 1: Create perf_users group of privileged Perf users.
groupadd perf_users
Example:
[root@nzhost1 ~]# groupadd perf_users
Step 2: Add all the authorized users who are allowed to monitor perf events to the perf_users group.
usermod -a -G perf_users user_name
Example:
[root@nzhost1 ~]# usermod -a -G perf_users nz
Step 3: Assign perf_users group to Perf tool executable and limit access to the executable for other users in the system who are not in the perf_users group
cd /usr/bin/ ls -alhF perf chgrp perf_users perf chmod o-rwx perf ls -alhF perf
Example:
[root@nzhost1 ~]# cd /usr/bin/
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chgrp perf_users perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chmod o-rwx perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xβ 1 root perf_users 2.2M Sep 16 07:07 perf*
Step 4: Assign the required capabilities (capsh βprint : prints available linux capabilities) to the Perf tool executable file and enable members of perf_users group with monitoring and observability privileges.
setcap β38,cap_ipc_lock,cap_sys_ptrace=epβ perf **setcap -v β38,cap_ipc_lock,cap_sys_ptrace=epβ perf ** getcap perf
Example:
[root@nzhost1 bin]# setcap β38,cap_ipc_lock,cap_sys_ptrace=epβ perf
[root@nzhost1 bin]# setcap -v β38,cap_ipc_lock,cap_sys_ptrace=epβ perf
perf: OK
[root@nzhost1 bin]# getcap perf
perf = cap_ipc_lock,cap_sys_ptrace,38+ep
| CPE | Name | Operator | Version |
|---|---|---|---|
| ibm puredata system | eq | any |
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.6 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:L/Au:N/C:P/I:P/A:P