CVE-2020-8835
Linux kernel bpf verifier vulnerability
Severity Score
7.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
6
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
In the Linux kernel 5.5.0 and newer, the bpf verifier (kernel/bpf/verifier.c) did not properly restrict the register bounds for 32-bit operations, leading to out-of-bounds reads and writes in kernel memory. The vulnerability also affects the Linux 5.4 stable series, starting with v5.4.7, as the introducing commit was backported to that branch. This vulnerability was fixed in 5.6.1, 5.5.14, and 5.4.29. (issue is aka ZDI-CAN-10780)
En el kernel de Linux versiones 5.5.0 y más recientes, el verificador bpf (kernel/bpf/verifier.c) no restringió apropiadamente los límites de registro para operaciones de 32 bits, conllevando a lecturas y escrituras fuera de límites en la memoria del kernel. La vulnerabilidad también afecta a la serie estable de Linux versión 5.4, comenzando con la versión v5.4.7, ya que el commit de introducción fue respaldado en esa derivación. Esta vulnerabilidad fue corregida en las versiones 5.6.1, 5.5.14 y 5.4.29. (el problema también se conoce como ZDI-CAN-10780)
This vulnerability allows local attackers to escalate privileges on affected installations of Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.
The specific flaw exists within the handling of eBPF programs. The issue results from the lack of proper validation of user-supplied eBPF programs prior to executing them. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of the kernel.
*Credits:
Manfred Paul, Anatoly Trosinenko
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2020-02-10 CVE Reserved
- 2020-03-30 CVE Published
- 2020-05-12 First Exploit
- 2023-03-08 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-125: Out-of-bounds Read
- CWE-787: Out-of-bounds Write
CAPEC
References (17)
| URL | Tag | Source |
|---|---|---|
| https://lore.kernel.org/bpf/20200330160324.15259-1-daniel%40iogearbox.net/T | X_refsource_misc | |
| https://security.netapp.com/advisory/ntap-20200430-0004 | Third Party Advisory |
|
| https://usn.ubuntu.com/usn/usn-4313-1 | Third Party Advisory |
|
| https://www.thezdi.com/blog/2020/3/19/pwn2own-2020-day-one-results | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/zilong3033/CVE-2020-8835 | 2020-09-18 | |
| https://github.com/digamma-ai/CVE-2020-8835-verification | 2021-06-08 | |
| https://github.com/SplendidSky/CVE-2020-8835 | 2020-10-18 | |
| https://github.com/Prabhashaka/Exploitation-CVE-2020-8835 | 2020-05-12 | |
| https://github.com/johnatag/INF8602-CVE-2020-8835 | 2023-03-31 | |
| http://www.openwall.com/lists/oss-security/2021/07/20/1 | 2024-09-17 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Netapp Search vendor "Netapp" | A700s Firmware Search vendor "Netapp" for product "A700s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | A700s Search vendor "Netapp" for product "A700s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | 8300 Firmware Search vendor "Netapp" for product "8300 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | 8300 Search vendor "Netapp" for product "8300" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | 8700 Firmware Search vendor "Netapp" for product "8700 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | 8700 Search vendor "Netapp" for product "8700" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | A400 Firmware Search vendor "Netapp" for product "A400 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | A400 Search vendor "Netapp" for product "A400" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | A320 Firmware Search vendor "Netapp" for product "A320 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | A320 Search vendor "Netapp" for product "A320" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | C190 Firmware Search vendor "Netapp" for product "C190 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | C190 Search vendor "Netapp" for product "C190" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | A220 Firmware Search vendor "Netapp" for product "A220 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | A220 Search vendor "Netapp" for product "A220" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | Fas2720 Firmware Search vendor "Netapp" for product "Fas2720 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | Fas2720 Search vendor "Netapp" for product "Fas2720" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | Fas2750 Firmware Search vendor "Netapp" for product "Fas2750 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | Fas2750 Search vendor "Netapp" for product "Fas2750" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | A800 Firmware Search vendor "Netapp" for product "A800 Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | A800 Search vendor "Netapp" for product "A800" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H300s Firmware Search vendor "Netapp" for product "H300s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H300s Search vendor "Netapp" for product "H300s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H500s Firmware Search vendor "Netapp" for product "H500s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H500s Search vendor "Netapp" for product "H500s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H700s Firmware Search vendor "Netapp" for product "H700s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H700s Search vendor "Netapp" for product "H700s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H300e Firmware Search vendor "Netapp" for product "H300e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H300e Search vendor "Netapp" for product "H300e" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H500e Firmware Search vendor "Netapp" for product "H500e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H500e Search vendor "Netapp" for product "H500e" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H700e Firmware Search vendor "Netapp" for product "H700e Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H700e Search vendor "Netapp" for product "H700e" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H410s Firmware Search vendor "Netapp" for product "H410s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H410s Search vendor "Netapp" for product "H410s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H610c Firmware Search vendor "Netapp" for product "H610c Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H610c Search vendor "Netapp" for product "H610c" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H610s Firmware Search vendor "Netapp" for product "H610s Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H610s Search vendor "Netapp" for product "H610s" | - | - |
Safe
|
| Netapp Search vendor "Netapp" | H615c Firmware Search vendor "Netapp" for product "H615c Firmware" | - | - |
Affected
| in | Netapp Search vendor "Netapp" | H615c Search vendor "Netapp" for product "H615c" | - | - |
Safe
|
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.4.7 < 5.4.29 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.4.7 < 5.4.29" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.5.0 < 5.5.14 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.5.0 < 5.5.14" | - |
Affected
| ||||||
| Linux Search vendor "Linux" | Linux Kernel Search vendor "Linux" for product "Linux Kernel" | >= 5.6 < 5.6.1 Search vendor "Linux" for product "Linux Kernel" and version " >= 5.6 < 5.6.1" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 30 Search vendor "Fedoraproject" for product "Fedora" and version "30" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 31 Search vendor "Fedoraproject" for product "Fedora" and version "31" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 32 Search vendor "Fedoraproject" for product "Fedora" and version "32" | - |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04" | lts |
Affected
| ||||||
| Canonical Search vendor "Canonical" | Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux" | 19.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10" | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Cloud Backup Search vendor "Netapp" for product "Cloud Backup" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Hci Management Node Search vendor "Netapp" for product "Hci Management Node" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Solidfire Search vendor "Netapp" for product "Solidfire" | - | - |
Affected
| ||||||
| Netapp Search vendor "Netapp" | Steelstore Cloud Integrated Storage Search vendor "Netapp" for product "Steelstore Cloud Integrated Storage" | - | - |
Affected
| ||||||