CVE-2020-14386: 
Linux Kernel vulnerability analysis and mitigation

A vulnerability (CVE-2020-14386) was discovered in the Linux kernel before version 5.9-rc4. The flaw exists in the packet socket (AF_PACKET) implementation in net/packet/af_packet.c, where memory corruption can be exploited to gain root privileges from unprivileged processes. The vulnerability was discovered by Or Cohen from Palo Alto Networks and was reported on September 3, 2020 (Seclists).

The vulnerability occurs in the tpacket_rcv function when calculating the netoff variable (unsigned short). When po->tp_reserve (unsigned int) is added to netoff, it can overflow causing netoff to get a small value. This leads to macoff being calculated with 'macoff = netoff - maclen', which can be controlled to receive a value smaller than sizeof(struct virtio_net_hdr). When do_vnet is set, this results in an out-of-bounds write of 1-10 bytes controlled by the user (NVD, Seclists). The vulnerability has a CVSS v3.1 Base Score of 7.8 (High) (NVD).

The highest threat from this vulnerability is to data confidentiality and integrity. It allows local attackers with the CAP_NET_RAW capability to cause a denial of service (system crash) or potentially execute arbitrary code with root privileges. This capability can be acquired by unprivileged processes on systems where unprivileged namespaces are enabled, such as Ubuntu and Fedora (Sysdig).

Several mitigation options are available: 1) Update the kernel to version 5.9-rc4 or later which contains the fix, 2) Disable CAP_NET_RAW capability for regular users and executables, 3) On systems with user namespaces enabled, set user.max_net_namespaces=0 or user.max_user_namespaces=0 to prevent exploitation through namespaces (Bugzilla).