Kernel is used by IBM Netezza Host Management. This bulletin provides mitigation for the reported vulnerability.
CVEID:CVE-2020-14351
**DESCRIPTION:**Linux Kernel could allow a local authenticated attacker to gain elevated privileges on the system, caused by a use-after-free memory flaw in the implementation of performance counters. By sending a specially-crafted request, an authenticated attacker could exploit this vulnerability to gain elevated privileges and execute code in the context of the kernelβ¦
CVSS Base score: 7.8
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/192489 for the current score.
CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H)
Affected Product(s) | Version(s) |
---|---|
IBM Netezza Host Management | All IBM Netezza Host Management versions |
None
While there is no way to disable the perf subsystem on Linux systems, reducing or removing users access to the perf events can effectively mitigate this flaw
Mitigation of the reported CVE : CVE-2020-14351 on PureData System for Analytics N200x and N3001 is as follows:
Execute below steps using βrootβ user on both ha1/ha2 hosts
Step 1: Create perf_users group of privileged Perf users.
groupadd perf_users
Example:
[root@nzhost1 ~]# groupadd perf_users
Step 2: Add all the authorized users who are allowed to monitor perf events to the perf_users group.
usermod -a -G perf_users user_name
Example:
[root@nzhost1 ~]# usermod -a -G perf_users nz
Step 3: Assign perf_users group to Perf tool executable and limit access to the executable for other users in the system who are not in the perf_users group
cd /usr/bin/ ls -alhF perf chgrp perf_users perf chmod o-rwx perf ls -alhF perf
Example:
[root@nzhost1 ~]# cd /usr/bin/
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chgrp perf_users perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xr-x 1 root perf_users 2.2M Sep 16 07:07 perf*
[root@nzhost1 bin]# chmod o-rwx perf
[root@nzhost1 bin]# ls -alhF perf
-rwxr-xβ 1 root perf_users 2.2M Sep 16 07:07 perf*
Step 4: Assign the required capabilities (capsh βprint : prints available linux capabilities) to the Perf tool executable file and enable members of perf_users group with monitoring and observability privileges.
setcap β38,cap_ipc_lock,cap_sys_ptrace=epβ perf **setcap -v β38,cap_ipc_lock,cap_sys_ptrace=epβ perf ** getcap perf
Example:
[root@nzhost1 bin]# setcap β38,cap_ipc_lock,cap_sys_ptrace=epβ perf
[root@nzhost1 bin]# setcap -v β38,cap_ipc_lock,cap_sys_ptrace=epβ perf
perf: OK
[root@nzhost1 bin]# getcap perf
perf = cap_ipc_lock,cap_sys_ptrace,38+ep
CPE | Name | Operator | Version |
---|---|---|---|
ibm puredata system | eq | any |