CVE-2020-28374 – This vulnerability allows remote attackers with... (How to Fix)

Q: What is the severity of CVE-2020-28374?

CVE-2020-28374 has a CVSS score of 8.1 (HIGH). This vulnerability allows remote attackers with access to an iSCSI LUN to perform directory traversal attacks via XCOPY requests in the Linux kernel's LIO SCSI target subsystem. Attackers can read or write arbitrary files on the system by exploiting insufficient identifier checking. Systems running vulnerable Linux kernel versions with LIO SCSI target enabled are affected.

📋 TL;DR

This vulnerability allows remote attackers with access to an iSCSI LUN to perform directory traversal attacks via XCOPY requests in the Linux kernel's LIO SCSI target subsystem. Attackers can read or write arbitrary files on the system by exploiting insufficient identifier checking. Systems running vulnerable Linux kernel versions with LIO SCSI target enabled are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: Before 5.10.7

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when LIO SCSI target subsystem is enabled and configured with iSCSI backstores. Not all Linux installations use this feature.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attackers gain arbitrary file read/write access, potentially leading to full system compromise, data exfiltration, or ransomware deployment.

🟠

Likely Case

Attackers with iSCSI access can read sensitive configuration files, write malicious files, or modify system files to maintain persistence.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to the iSCSI storage subsystem only.

🌐 Internet-Facing: MEDIUM - Requires iSCSI access, but if iSCSI is exposed to the internet, risk increases significantly.

🏢 Internal Only: HIGH - Internal attackers with iSCSI access can exploit this to escalate privileges and move laterally.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires iSCSI access to at least one LUN. Proof-of-concept details are publicly available in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.10.7 and later

Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1178372

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.10.7 or later. 2. For distributions with backported patches, apply the security update for the LIO SCSI target subsystem. 3. Reboot the system to load the patched kernel.

🔧 Temporary Workarounds

Disable LIO SCSI target

linux

If not required, disable the LIO SCSI target subsystem to prevent exploitation.

modprobe -r target_core_mod
echo 'blacklist target_core_mod' > /etc/modprobe.d/disable-lio.conf

Restrict iSCSI network access

linux

Limit iSCSI access to trusted networks only using firewall rules.

iptables -A INPUT -p tcp --dport 3260 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 3260 -j DROP

🧯 If You Can't Patch

Implement strict network segmentation to isolate iSCSI traffic from untrusted networks.
Apply principle of least privilege to iSCSI access and regularly audit iSCSI configurations.

🔍 How to Verify

Check if Vulnerable:

Check kernel version and verify if LIO modules are loaded: uname -r && lsmod | grep -i target

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is 5.10.7 or later: uname -r

📡 Detection & Monitoring

Log Indicators:

Unusual XCOPY requests in iSCSI logs
Failed file access attempts from iSCSI processes
Unexpected file modifications in system directories

Network Indicators:

Anomalous iSCSI traffic patterns
XCOPY requests with unusual path parameters

SIEM Query:

source="iscsi_logs" AND ("XCOPY" OR "directory traversal")

📊 Metadata

CVE ID: CVE-2020-28374

CVSS v3 Score: 8.1 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-22

Published: January 13, 2021

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2021/01/13/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/01/13/5 Mailing List,Third Party Advisory
https://bugzilla.suse.com/attachment.cgi?id=844938 Issue Tracking,Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1178372 Issue Tracking,Patch,Third Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.7 Release Notes,Vendor Advisory
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 Patch,Vendor Advisory
https://github.com/torvalds/linux/commit/2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZEUPID5DZYLZBIO4BEVLHFUDZZIFL57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HK7SRTITN5ABAUOOIGFVR7XE5YKYYAVO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTGQDYIEO2GOCOOKADBHEITF44GY55QF/
https://security.netapp.com/advisory/ntap-20210219-0002/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4843 Third Party Advisory
http://packetstormsecurity.com/files/161229/Kernel-Live-Patch-Security-Notice-LSN-0074-1.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2021/01/13/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/01/13/5 Mailing List,Third Party Advisory
https://bugzilla.suse.com/attachment.cgi?id=844938 Issue Tracking,Third Party Advisory
https://bugzilla.suse.com/show_bug.cgi?id=1178372 Issue Tracking,Patch,Third Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10.7 Release Notes,Vendor Advisory
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 Patch,Vendor Advisory
https://github.com/torvalds/linux/commit/2896c93811e39d63a4d9b63ccf12a8fbc226e5e4 Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FZEUPID5DZYLZBIO4BEVLHFUDZZIFL57/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HK7SRTITN5ABAUOOIGFVR7XE5YKYYAVO/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LTGQDYIEO2GOCOOKADBHEITF44GY55QF/
https://security.netapp.com/advisory/ntap-20210219-0002/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4843 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-28374, you might also want to check these: