CVE-2020-25645
First published: Wed Sep 16 2020(Updated: )
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
Credit: secalert@redhat.com secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:3.10.0-1160.21.1.rt56.1158.el7 | 0:3.10.0-1160.21.1.rt56.1158.el7 |
| redhat/kernel | <0:3.10.0-1160.21.1.el7 | 0:3.10.0-1160.21.1.el7 |
| redhat/Linux kernel | <5.9 | 5.9 |
| Linux Linux kernel | <5.9.0 | |
| Linux Linux kernel | =5.9.0 | |
| Linux Linux kernel | =5.9.0-rc1 | |
| Linux Linux kernel | =5.9.0-rc2 | |
| Linux Linux kernel | =5.9.0-rc3 | |
| Linux Linux kernel | =5.9.0-rc4 | |
| Linux Linux kernel | =5.9.0-rc5 | |
| Linux Linux kernel | =5.9.0-rc6 | |
| Debian Debian Linux | =9.0 | |
| Debian Debian Linux | =10.0 | |
| Netapp Solidfire \& Hci Management Node | ||
| Netapp Solidfire \& Hci Storage Node | ||
| openSUSE Leap | =15.1 | |
| openSUSE Leap | =15.2 | |
| Netapp Hci Compute Node Bios | ||
| Netapp Hci Compute Node | ||
| Canonical Ubuntu Linux | =14.04 | |
| Canonical Ubuntu Linux | =16.04 | |
| Canonical Ubuntu Linux | =18.04 | |
| Canonical Ubuntu Linux | =20.04 | |
| All of | ||
| Netapp Hci Compute Node Bios | ||
| Netapp Hci Compute Node | ||
| debian/linux | 5.10.223-1 5.10.226-1 6.1.115-1 6.1.112-1 6.11.5-1 6.11.7-1 |
Remedy
A possible workaround for this flaw is to configure IPsec for all traffic between the endpoints, instead of specifically for the UDP port used by the GENEVE tunnels. If GENEVE tunnels are not used, this flaw will not be triggered. In that case, it is possible to disable those tunnels, by unloading the "geneve" kernel module and blacklisting it (See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules).
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-25645 https://nvd.nist.gov/vuln/detail/CVE-2020-25645
- https://bugzilla.redhat.com/show_bug.cgi?id=1883988
- https://access.redhat.com/errata/RHSA-2021:0857
- https://access.redhat.com/errata/RHSA-2021:0856
- https://access.redhat.com/security/cve/cve-2020-25645
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00035.html
- https://www.debian.org/security/2020/dsa-4774
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00028.html
- https://security.netapp.com/advisory/ntap-20201103-0004/
- https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html
- http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html
- https://launchpad.net/bugs/cve/CVE-2020-25645
- https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=34beb21594519ce64a55a498c2fe7d567bc1ca20
- https://access.redhat.com/solutions/41278
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883988#c0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1886425
- https://git.kernel.org/linus/34beb21594519ce64a55a498c2fe7d567bc1ca20
- https://security-tracker.debian.org/tracker/CVE-2020-25645
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25645
- https://nvd.nist.gov/vuln/detail/CVE-2020-25645
- https://ubuntu.com/security/CVE-2020-25645
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/author
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25645
- agent/software-canonical-lookup
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/nvd-cve
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- collector/security-tracker-debian
- source/Debian
- agent/remedy
- agent/references
- agent/softwarecombine
- agent/tags
- agent/description
- agent/event
- package-manager/redhat
- vendor/linux
- canonical/linux linux kernel
- version/linux linux kernel/5.9.0
- version/linux linux kernel/5.9.0-rc1
- version/linux linux kernel/5.9.0-rc2
- version/linux linux kernel/5.9.0-rc3
- version/linux linux kernel/5.9.0-rc4
- version/linux linux kernel/5.9.0-rc5
- version/linux linux kernel/5.9.0-rc6
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/debian debian linux/10.0
- vendor/netapp
- canonical/netapp solidfire \& hci management node
- canonical/netapp solidfire \& hci storage node
- vendor/opensuse
- canonical/opensuse leap
- version/opensuse leap/15.1
- version/opensuse leap/15.2
- canonical/netapp hci compute node bios
- canonical/netapp hci compute node
- vendor/canonical
- canonical/canonical ubuntu linux
- version/canonical ubuntu linux/14.04
- version/canonical ubuntu linux/16.04
- version/canonical ubuntu linux/18.04
- version/canonical ubuntu linux/20.04
- package-manager/debian