CVE-2020-8835: (Pwn2Own) Linux Kernel eBPF Improper Input Validation Privilege Escalation Vulnerability
First published: Mon Mar 30 2020(Updated: )
In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)
Credit: security@ubuntu.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| debian/linux | 5.10.223-1 6.1.106-3 6.1.99-1 6.10.9-1 | |
| Linux kernel | ||
| Linux Kernel | >=5.4.7<5.4.29 | |
| Linux Kernel | >=5.5.0<5.5.14 | |
| Linux Kernel | >=5.6<5.6.1 | |
| Fedora | =30 | |
| Fedora | =31 | |
| Fedora | =32 | |
| Ubuntu | =18.04 | |
| Ubuntu | =19.10 | |
| netapp cloud backup | ||
| netapp hci management node | ||
| netapp solidfire | ||
| NetApp SteelStore | ||
| All of | ||
| NetApp AFF A700s Firmware | ||
| netapp a700s | ||
| All of | ||
| NetApp AFF 8300 Firmware | ||
| NetApp FAS8300 | ||
| All of | ||
| NetApp AFF 8700 Firmware | ||
| NetApp FAS8700 | ||
| All of | ||
| NetApp AFF A400 Firmware | ||
| NetApp FAS A400 | ||
| All of | ||
| NetApp AFF A320 Firmware | ||
| NetApp AFF A320 | ||
| All of | ||
| NetApp AFF C190 Firmware | ||
| NetApp AFF C190 | ||
| All of | ||
| NetApp AFF A220 Firmware | ||
| NetApp AFF A220 | ||
| All of | ||
| NetApp FAS2700 Firmware | ||
| netapp fas2720 | ||
| All of | ||
| NetApp FAS2700 Firmware | ||
| netapp fas2750 | ||
| All of | ||
| NetApp AFF A800 Firmware | ||
| NetApp AFF A800 | ||
| All of | ||
| netapp h300s firmware | ||
| netapp h300s | ||
| All of | ||
| NetApp H500S Firmware | ||
| netapp h500s | ||
| All of | ||
| netapp h700s firmware | ||
| netapp h700s | ||
| All of | ||
| netapp h300e firmware | ||
| netapp h300e | ||
| All of | ||
| netapp h500e firmware | ||
| netapp h500e | ||
| All of | ||
| netapp h700e firmware | ||
| netapp h700e | ||
| All of | ||
| netapp h410s firmware | ||
| netapp h410s | ||
| All of | ||
| netapp h610c firmware | ||
| netapp h610c | ||
| All of | ||
| netapp h610s firmware | ||
| netapp h610s | ||
| All of | ||
| netapp h615c firmware | ||
| netapp h615c | ||
| NetApp AFF A700s Firmware | ||
| netapp a700s | ||
| NetApp AFF 8300 Firmware | ||
| NetApp FAS8300 | ||
| NetApp AFF 8700 Firmware | ||
| NetApp FAS8700 | ||
| NetApp AFF A400 Firmware | ||
| NetApp FAS A400 | ||
| NetApp AFF A320 Firmware | ||
| NetApp AFF A320 | ||
| NetApp AFF C190 Firmware | ||
| NetApp AFF C190 | ||
| NetApp AFF A220 Firmware | ||
| NetApp AFF A220 | ||
| NetApp FAS2700 Firmware | ||
| netapp fas2720 | ||
| NetApp FAS2700 Firmware | ||
| netapp fas2750 | ||
| NetApp AFF A800 Firmware | ||
| NetApp AFF A800 | ||
| netapp h300s firmware | ||
| netapp h300s | ||
| NetApp H500S Firmware | ||
| netapp h500s | ||
| netapp h700s firmware | ||
| netapp h700s | ||
| netapp h300e firmware | ||
| netapp h300e | ||
| netapp h500e firmware | ||
| netapp h500e | ||
| netapp h700e firmware | ||
| netapp h700e | ||
| netapp h410s firmware | ||
| netapp h410s | ||
| netapp h610c firmware | ||
| netapp h610c | ||
| netapp h610s firmware | ||
| netapp h610s | ||
| netapp h615c firmware | ||
| netapp h615c |
Remedy
Revert commit 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions").
Remedy
Mitigation for this vulnerability is available by setting the kernel.unprivileged_bpf_disabled sysctl to 1: $ sudo sysctl kernel.unprivileged_bpf_disabled=1 $ echo kernel.unprivileged_bpf_disabled=1 | \ sudo tee /etc/sysctl.d/90-CVE-2020-8835.conf This issue is also mitigated on systems that use secure boot, thanks to the kernel lockdown feature which blocks BPF program loading.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f2d67fec0b43edce8c416101cdc52e71145b5fef
- https://lore.kernel.org/bpf/20200330160324.15259-1-daniel@iogearbox.net/T/
- https://usn.ubuntu.com/usn/usn-4313-1
- https://www.openwall.com/lists/oss-security/2020/03/30/3
- https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/
- https://usn.ubuntu.com/4313-1/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/
- https://security.netapp.com/advisory/ntap-20200430-0004/
- http://www.openwall.com/lists/oss-security/2021/07/20/1
- https://launchpad.net/bugs/cve/CVE-2020-8835
- https://www.zerodayinitiative.com/advisories/ZDI-20-350/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/F7OONYGMSYBEFHLHZJK3GOI5Z553G4LD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/TF4PQZBEPNXDSK5DOBMW54OCLP25FTCD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YXBWSHZ6DJIZVXKXGZPK6QPFCY7VKZEG/
- https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T/
- https://git.kernel.org/linus/f2d67fec0b43edce8c416101cdc52e71145b5fef
- https://security-tracker.debian.org/tracker/CVE-2020-8835
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8835
- https://nvd.nist.gov/vuln/detail/CVE-2020-8835
- https://ubuntu.com/security/CVE-2020-8835
Frequently Asked Questions
What is the severity of CVE-2020-8835?
CVE-2020-8835 has been classified as a high-severity vulnerability due to its potential to allow out-of-bounds reads and writes in kernel memory.
How do I fix CVE-2020-8835?
To fix CVE-2020-8835, you should update the Linux kernel to the latest stable version or apply the relevant patches provided by your Linux distribution.
Which Linux kernel versions are affected by CVE-2020-8835?
CVE-2020-8835 affects Linux kernel versions 5.5.0 and newer, as well as specific versions in the 5.4 stable series.
What are the potential impacts of exploiting CVE-2020-8835?
Exploitation of CVE-2020-8835 could lead to unauthorized access to sensitive data and could compromise the stability of the system.
Is CVE-2020-8835 specific to certain Linux distributions?
CVE-2020-8835 affects multiple Linux distributions, including Debian, Fedora, and Ubuntu, that utilize the vulnerable versions of the kernel.
- agent/weakness
- agent/type
- agent/first-publish-date
- collector/launchpad-cve
- source/Launchpad
- agent/title
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/last-modified-date
- collector/usn-cve
- source/Ubuntu
- agent/remedy
- agent/references
- agent/description
- collector/security-tracker-debian
- source/Debian
- agent/software-canonical-lookup
- agent/trending
- agent/source
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-20-350
- alias/ZDI-CAN-10780
- alias/CVE-2020-8835
- agent/software-canonical-lookup-request
- agent/event
- agent/author
- agent/softwarecombine
- agent/tags
- collector/nvd-cve
- source/NVD
- collector/nvd-index
- package-manager/debian
- vendor/linux
- canonical/linux kernel
- version/linux kernel/5.4.7
- version/linux kernel/5.5.0
- version/linux kernel/5.6
- vendor/fedoraproject
- canonical/fedora
- version/fedora/30
- version/fedora/31
- version/fedora/32
- vendor/canonical
- canonical/ubuntu
- version/ubuntu/18.04
- version/ubuntu/19.10
- vendor/netapp
- canonical/netapp cloud backup
- canonical/netapp hci management node
- canonical/netapp solidfire
- canonical/netapp steelstore
- canonical/netapp aff a700s firmware
- canonical/netapp a700s
- canonical/netapp aff 8300 firmware
- canonical/netapp fas8300
- canonical/netapp aff 8700 firmware
- canonical/netapp fas8700
- canonical/netapp aff a400 firmware
- canonical/netapp fas a400
- canonical/netapp aff a320 firmware
- canonical/netapp aff a320
- canonical/netapp aff c190 firmware
- canonical/netapp aff c190
- canonical/netapp aff a220 firmware
- canonical/netapp aff a220
- canonical/netapp fas2700 firmware
- canonical/netapp fas2720
- canonical/netapp fas2750
- canonical/netapp aff a800 firmware
- canonical/netapp aff a800
- canonical/netapp h300s firmware
- canonical/netapp h300s
- canonical/netapp h500s firmware
- canonical/netapp h500s
- canonical/netapp h700s firmware
- canonical/netapp h700s
- canonical/netapp h300e firmware
- canonical/netapp h300e
- canonical/netapp h500e firmware
- canonical/netapp h500e
- canonical/netapp h700e firmware
- canonical/netapp h700e
- canonical/netapp h410s firmware
- canonical/netapp h410s
- canonical/netapp h610c firmware
- canonical/netapp h610c
- canonical/netapp h610s firmware
- canonical/netapp h610s
- canonical/netapp h615c firmware
- canonical/netapp h615c