Lucene search

K
ibmIBMD93D4935148F7F3B13EA6EFB252FC805F8785D44154C48C5441B79CADDEC8988
HistoryMar 08, 2021 - 10:24 a.m.

Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management

2021-03-0810:24:18
www.ibm.com
41

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P

Summary

Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported vulnerability.

Vulnerability Details

CVEID:CVE-2020-14351
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free memory flaw in the implementation of performance counters. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and execute code in the context of the kernel…
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192489 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Affected Product(s) Version(s)
IBM Netezza Host Management All IBM Netezza Host Management versions

Remediation/Fixes

None

Workarounds and Mitigations

While there is no way to disable the perf subsystem on Linux systems, reducing or removing users access to the perf events can effectively mitigate this flaw
Mitigation of the reported CVE : CVE-2020-14351 on PureData System for Analytics N200x and N3001 is as follows:

Execute below steps using “root” user on both ha1/ha2 hosts

Step 1: Create perf_users group of privileged Perf users.

groupadd perf_users

Example:
[root@nzhost1 ~]# groupadd perf_users

Step 2: Add all the authorized users who are allowed to monitor perf events to the perf_users group.

usermod -a -G perf_users user_name

Example:
[root@nzhost1 ~]# usermod -a -G perf_users nz

Step 3: Assign perf_users group to Perf tool executable and limit access to the executable for other users in the system who are not in the perf_users group

cd /usr/bin/ ls -alhF perf chgrp perf_users perf chmod o-rwx perf ls -alhF perf

Example:
[root@nzhost1 ~]# cd /usr/bin/
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chgrp perf_users perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chmod o-rwx perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-x— 1 root perf_users 2.2M Sep 16 07:07 perf*

Step 4: Assign the required capabilities (capsh –print : prints available linux capabilities) to the Perf tool executable file and enable members of perf_users group with monitoring and observability privileges.

setcap “38,cap_ipc_lock,cap_sys_ptrace=ep” perf **setcap -v “38,cap_ipc_lock,cap_sys_ptrace=ep” perf ** getcap perf

Example:
[root@nzhost1 bin]# setcap “38,cap_ipc_lock,cap_sys_ptrace=ep” perf
[root@nzhost1 bin]# setcap -v “38,cap_ipc_lock,cap_sys_ptrace=ep” perf
perf: OK
[root@nzhost1 bin]# getcap perf
perf = cap_ipc_lock,cap_sys_ptrace,38+ep

CPENameOperatorVersion
ibm puredata systemeqany

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.6 Medium

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:L/AC:L/Au:N/C:P/I:P/A:P