CVE-2020-25645
First published: Wed Sep 16 2020(Updated: )
A flaw was found in the Linux kernel in versions before 5.9-rc7. Traffic between two Geneve endpoints may be unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel allowing anyone between the two endpoints to read the traffic unencrypted. The main threat from this vulnerability is to data confidentiality.
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/kernel-rt | <0:3.10.0-1160.21.1.rt56.1158.el7 | 0:3.10.0-1160.21.1.rt56.1158.el7 |
| redhat/kernel | <0:3.10.0-1160.21.1.el7 | 0:3.10.0-1160.21.1.el7 |
| redhat/Linux kernel | <5.9 | 5.9 |
| Linux Kernel | <5.9.0 | |
| Linux Kernel | =5.9.0 | |
| Linux Kernel | =5.9.0-rc1 | |
| Linux Kernel | =5.9.0-rc2 | |
| Linux Kernel | =5.9.0-rc3 | |
| Linux Kernel | =5.9.0-rc4 | |
| Linux Kernel | =5.9.0-rc5 | |
| Linux Kernel | =5.9.0-rc6 | |
| Debian GNU/Linux | =9.0 | |
| Debian GNU/Linux | =10.0 | |
| netapp solidfire \& hci management node | ||
| netapp solidfire \& hci storage node | ||
| openSUSE | =15.1 | |
| openSUSE | =15.2 | |
| All of | ||
| NetApp HCI Compute Node BIOS | ||
| netapp hci compute node | ||
| Ubuntu Linux | =14.04 | |
| Ubuntu Linux | =16.04 | |
| Ubuntu Linux | =18.04 | |
| Ubuntu Linux | =20.04 | |
| debian/linux | 5.10.223-1 5.10.226-1 6.1.123-1 6.1.128-1 6.12.12-1 6.12.15-1 | |
| Debian | =9.0 | |
| Debian | =10.0 | |
| NetApp HCI Compute Node BIOS | ||
| netapp hci compute node | ||
| Ubuntu | =14.04 | |
| Ubuntu | =16.04 | |
| Ubuntu | =18.04 | |
| Ubuntu | =20.04 |
Remedy
A possible workaround for this flaw is to configure IPsec for all traffic between the endpoints, instead of specifically for the UDP port used by the GENEVE tunnels. If GENEVE tunnels are not used, this flaw will not be triggered. In that case, it is possible to disable those tunnels, by unloading the "geneve" kernel module and blacklisting it (See https://access.redhat.com/solutions/41278 for a guide on how to blacklist modules).
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2020-25645 https://nvd.nist.gov/vuln/detail/CVE-2020-25645
- https://bugzilla.redhat.com/show_bug.cgi?id=1883988
- https://access.redhat.com/errata/RHSA-2021:0857
- https://access.redhat.com/errata/RHSA-2021:0856
- https://access.redhat.com/security/cve/cve-2020-25645
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00035.html
- https://www.debian.org/security/2020/dsa-4774
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00042.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00028.html
- https://security.netapp.com/advisory/ntap-20201103-0004/
- https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html
- http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html
- https://launchpad.net/bugs/cve/CVE-2020-25645
- https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=34beb21594519ce64a55a498c2fe7d567bc1ca20
- https://access.redhat.com/solutions/41278
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1883988#c0
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1886425
- https://git.kernel.org/linus/34beb21594519ce64a55a498c2fe7d567bc1ca20
- https://security-tracker.debian.org/tracker/CVE-2020-25645
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-25645
- https://nvd.nist.gov/vuln/detail/CVE-2020-25645
- https://ubuntu.com/security/CVE-2020-25645
Frequently Asked Questions
What is the severity of CVE-2020-25645?
CVE-2020-25645 has a high severity rating due to the potential for unencrypted traffic between Geneve endpoints.
How do I fix CVE-2020-25645?
To address CVE-2020-25645, you should upgrade to the Linux kernel version 5.9 or later.
Which versions of the Linux kernel are affected by CVE-2020-25645?
CVE-2020-25645 affects Linux kernel versions prior to 5.9-rc7.
What impact does CVE-2020-25645 have on network security?
CVE-2020-25645 could allow attackers to intercept and read unencrypted traffic between Geneve tunnel endpoints.
Is IPsec configuration sufficient to protect against CVE-2020-25645?
No, IPsec configuration may not provide adequate protection for traffic on specific UDP ports used by the GENEVE tunnel as per CVE-2020-25645.
- collector/redhat-cve
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/severity
- agent/weakness
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2020-25645
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/references
- agent/last-modified-date
- agent/trending
- agent/source
- agent/author
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup-request
- collector/usn-cve
- source/Ubuntu
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-index
- package-manager/redhat
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.9.0
- version/linux kernel/5.9.0-rc1
- version/linux kernel/5.9.0-rc2
- version/linux kernel/5.9.0-rc3
- version/linux kernel/5.9.0-rc4
- version/linux kernel/5.9.0-rc5
- version/linux kernel/5.9.0-rc6
- vendor/debian
- canonical/debian gnu/linux
- version/debian gnu/linux/9.0
- version/debian gnu/linux/10.0
- vendor/netapp
- canonical/netapp solidfire \& hci management node
- canonical/netapp solidfire \& hci storage node
- vendor/opensuse
- canonical/opensuse
- version/opensuse/15.1
- version/opensuse/15.2
- canonical/netapp hci compute node bios
- canonical/netapp hci compute node
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/14.04
- version/ubuntu linux/16.04
- version/ubuntu linux/18.04
- version/ubuntu linux/20.04
- package-manager/debian
- canonical/debian
- version/debian/9.0
- version/debian/10.0
- canonical/ubuntu
- version/ubuntu/14.04
- version/ubuntu/16.04
- version/ubuntu/18.04
- version/ubuntu/20.04