CVE-2020-14351 – CVE-2020-14351 is a use-after-free vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2020-14351?

CVE-2020-14351 has a CVSS score of 7.8 (HIGH). CVE-2020-14351 is a use-after-free vulnerability in the Linux kernel's perf subsystem that allows local attackers with permission to monitor performance events to corrupt memory. This can lead to privilege escalation, compromising data confidentiality, integrity, and system availability. Affected systems include Linux distributions with vulnerable kernel versions.

📋 TL;DR

CVE-2020-14351 is a use-after-free vulnerability in the Linux kernel's perf subsystem that allows local attackers with permission to monitor performance events to corrupt memory. This can lead to privilege escalation, compromising data confidentiality, integrity, and system availability. Affected systems include Linux distributions with vulnerable kernel versions.

💻 Affected Systems

Products:

Linux kernel

Versions: Kernel versions before specific fixes (varies by distribution; generally before kernel 5.8.x and backported fixes in stable branches)

Operating Systems: Linux distributions including Red Hat, Debian, Ubuntu, CentOS, and others

Default Config Vulnerable: ⚠️ Yes

Notes: Requires CAP_SYS_ADMIN or equivalent permissions to monitor perf events; default configurations often grant this to privileged users.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, complete system compromise, data theft, and persistent backdoor installation.

🟠

Likely Case

Local privilege escalation by authenticated users, potentially leading to lateral movement within the network.

🟢

If Mitigated

Limited to denial-of-service if proper access controls restrict perf event monitoring to trusted users only.

🌐 Internet-Facing: LOW - Requires local access; not directly exploitable over network.

🏢 Internal Only: HIGH - Local attackers with perf permissions can exploit this to gain root privileges.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires local access and perf event monitoring permissions; proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Varies by distribution (e.g., kernel 5.8+ or backported patches in stable branches like 4.19.x, 5.4.x)

Vendor Advisory: https://bugzilla.redhat.com/show_bug.cgi?id=1862849

Restart Required: Yes

Instructions:

1. Update kernel package via distribution's package manager (e.g., 'yum update kernel' for RHEL, 'apt update && apt upgrade linux-image' for Debian/Ubuntu). 2. Reboot system to load new kernel.

🔧 Temporary Workarounds

Restrict perf event monitoring

linux

Limit access to perf subsystem by removing CAP_SYS_ADMIN from non-privileged users or using kernel.perf_event_paranoid sysctl.

sysctl -w kernel.perf_event_paranoid=3

🧯 If You Can't Patch

Apply workaround to restrict perf event monitoring via sysctl or capability removal.
Implement strict access controls to limit local user privileges and monitor for suspicious activity.

🔍 How to Verify

Check if Vulnerable:

Check kernel version and compare with patched versions for your distribution; e.g., 'uname -r' and consult vendor advisories.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version after update and reboot matches patched version; check that perf_event_paranoid is set appropriately if using workaround.

📡 Detection & Monitoring

Log Indicators:

Kernel logs (dmesg) showing crashes or corruption in perf subsystem
Audit logs for unauthorized perf event access attempts

Network Indicators:

Not applicable - local exploit only

SIEM Query:

Example: search for 'perf' events in kernel logs or auditd entries indicating privilege escalation attempts.

📊 Metadata

CVE ID: CVE-2020-14351

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 3, 2020

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1862849 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html Mailing List,Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1862849 Issue Tracking,Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00015.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2020/12/msg00027.html Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-14351, you might also want to check these: