Security Bulletin: Publicly disclosed vulnerability from Kernel affects IBM Netezza Host Management

Summary

Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported vulnerability.

Vulnerability Details

CVEID:CVE-2020-14351
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free memory flaw in the implementation of performance counters. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and execute code in the context of the kernel…
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192489 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)

Affected Products and Versions

Remediation/Fixes

None

Workarounds and Mitigations

While there is no way to disable the perf subsystem on Linux systems, reducing or removing users access to the perf events can effectively mitigate this flaw
Mitigation of the reported CVE : CVE-2020-14351 on PureData System for Analytics N200x and N3001 is as follows:

Execute below steps using “root” user on both ha1/ha2 hosts

Step 1: Create perf_users group of privileged Perf users.

groupadd perf_users

Example:
[root@nzhost1 ~]# groupadd perf_users

Step 2: Add all the authorized users who are allowed to monitor perf events to the perf_users group.

usermod -a -G perf_users user_name

Example:
[root@nzhost1 ~]# usermod -a -G perf_users nz

Step 3: Assign perf_users group to Perf tool executable and limit access to the executable for other users in the system who are not in the perf_users group

cd /usr/bin/ ls -alhF perf chgrp perf_users perf chmod o-rwx perf ls -alhF perf

Example:
[root@nzhost1 ~]# cd /usr/bin/
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chgrp perf_users perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chmod o-rwx perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-x— 1 root perf_users 2.2M Sep 16 07:07 perf*

Step 4: Assign the required capabilities (capsh –print : prints available linux capabilities) to the Perf tool executable file and enable members of perf_users group with monitoring and observability privileges.

setcap “38,cap_ipc_lock,cap_sys_ptrace=ep” perf **setcap -v “38,cap_ipc_lock,cap_sys_ptrace=ep” perf ** getcap perf

Example:
[root@nzhost1 bin]# setcap “38,cap_ipc_lock,cap_sys_ptrace=ep” perf
[root@nzhost1 bin]# setcap -v “38,cap_ipc_lock,cap_sys_ptrace=ep” perf
perf: OK
[root@nzhost1 bin]# getcap perf
perf = cap_ipc_lock,cap_sys_ptrace,38+ep