CVE-2020-16120

medium
New! CVE Severity Now Using CVSS v3

The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.

Description

Overlayfs did not properly perform permission checking when copying up files in an overlayfs and could be exploited from within a user namespace, if, for example, unprivileged user namespaces were allowed. It was possible to have a file not readable by an unprivileged user to be copied to a mountpoint controlled by the user, like a removable device. This was introduced in kernel version 4.19 by commit d1d04ef ("ovl: stack file ops"). This was fixed in kernel version 5.8 by commits 56230d9 ("ovl: verify permissions in ovl_path_open()"), 48bd024 ("ovl: switch to mounter creds in readdir") and 05acefb ("ovl: check permission to open real file"). Additionally, commits 130fdbc ("ovl: pass correct flags for opening real directory") and 292f902 ("ovl: call secutiry hook in ovl_real_ioctl()") in kernel 5.8 might also be desired or necessary. These additional commits introduced a regression in overlay mounts within user namespaces which prevented access to files with ownership outside of the user namespace. This regression was mitigated by subsequent commit b6650da ("ovl: do not fail because of O_NOATIMEi") in kernel 5.11.

References

https://git.kernel.org/linus/05acefb4872dae89e772729efb194af754c877e8

https://git.kernel.org/linus/48bd024b8a40d73ad6b086de2615738da0c7004f

https://git.kernel.org/linus/56230d956739b9cb1cbde439d76227d77979a04d

https://git.kernel.org/linus/b6650dab404c701d7fe08a108b746542a934da84

https://git.kernel.org/linus/d1d04ef8572bc8c22265057bd3d5a79f223f8f52

https://launchpad.net/bugs/1894980

https://launchpad.net/bugs/1900141

https://ubuntu.com/USN-4576-1

https://ubuntu.com/USN-4577-1

https://ubuntu.com/USN-4578-1

https://www.openwall.com/lists/oss-security/2020/10/14/2

Details

Source: MITRE

Published: 2021-02-10

Updated: 2021-02-18

Type: CWE-269

Risk Information

CVSS v2

Base Score: 2.1

Vector: AV:L/AC:L/Au:N/C:P/I:N/A:N

Impact Score: 2.9

Exploitability Score: 3.9

Severity: LOW

CVSS v3

Base Score: 4.4

Vector: CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Impact Score: 3.6

Exploitability Score: 0.8

Severity: MEDIUM

Tenable Plugins

View all (26 total)

IDNameProductFamilySeverity
150214EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1929)NessusHuawei Local Security Checks
high
150213EulerOS 2.0 SP9 : kernel (EulerOS-SA-2021-1950)NessusHuawei Local Security Checks
high
148634EulerOS Virtualization 2.9.1 : kernel (EulerOS-SA-2021-1715)NessusHuawei Local Security Checks
high
148604EulerOS Virtualization 2.9.0 : kernel (EulerOS-SA-2021-1751)NessusHuawei Local Security Checks
high
147205Oracle Linux 7 : Unbreakable Enterprise kernel-container (ELSA-2021-9087)NessusOracle Linux Local Security Checks
high
147204Oracle Linux 7 / 8 : Unbreakable Enterprise kernel (ELSA-2021-9085)NessusOracle Linux Local Security Checks
high
147203Oracle Linux 7 / 8 : Unbreakable Enterprise kernel-container (ELSA-2021-9086)NessusOracle Linux Local Security Checks
high
147202Oracle Linux 7 : Unbreakable Enterprise kernel (ELSA-2021-9084)NessusOracle Linux Local Security Checks
high
146282openSUSE Security Update : RT kernel (openSUSE-2021-242)NessusSuSE Local Security Checks
high
143875SUSE SLES15 Security Update : kernel (SUSE-SU-2020:3532-1)NessusSuSE Local Security Checks
high
143858SUSE SLES12 Security Update : kernel (SUSE-SU-2020:3326-1)NessusSuSE Local Security Checks
high
143857SUSE SLES12 Security Update : kernel (SUSE-SU-2020:3544-1)NessusSuSE Local Security Checks
high
143809SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2020:3272-1)NessusSuSE Local Security Checks
high
143802SUSE SLES15 Security Update : kernel (SUSE-SU-2020:3513-1)NessusSuSE Local Security Checks
high
143780SUSE SLES15 Security Update : kernel (SUSE-SU-2020:3522-1)NessusSuSE Local Security Checks
high
143773SUSE SLES12 Security Update : kernel (SUSE-SU-2020:3281-1)NessusSuSE Local Security Checks
high
143621SUSE SLED15 / SLES15 Security Update : kernel (SUSE-SU-2020:3122-1)NessusSuSE Local Security Checks
high
143398openSUSE Security Update : the Linux Kernel (openSUSE-2020-2112)NessusSuSE Local Security Checks
high
142945openSUSE Security Update : the Linux Kernel (openSUSE-2020-1906)NessusSuSE Local Security Checks
high
142921openSUSE Security Update : the Linux Kernel (openSUSE-2020-1901)NessusSuSE Local Security Checks
high
141496Photon OS 3.0: Linux PHSA-2020-3.0-0153NessusPhotonOS Local Security Checks
medium
141480Photon OS 1.0: Linux PHSA-2020-1.0-0333NessusPhotonOS Local Security Checks
high
141475Photon OS 2.0: Linux PHSA-2020-2.0-0290NessusPhotonOS Local Security Checks
high
141451Ubuntu 18.04 LTS / 20.04 LTS : Linux kernel vulnerabilities (USN-4576-1)NessusUbuntu Local Security Checks
high
141449Ubuntu 18.04 LTS : Linux kernel vulnerabilities (USN-4577-1)NessusUbuntu Local Security Checks
high
141448Ubuntu 16.04 LTS / 18.04 LTS : Linux kernel vulnerabilities (USN-4578-1)NessusUbuntu Local Security Checks
high