CVE-2020-29661

Q: What is the severity of CVE-2020-29661?

CVE-2020-29661 has a CVSS score of 7.8 (HIGH). This CVE describes a use-after-free vulnerability in the Linux kernel's tty subsystem that allows attackers to potentially escalate privileges or crash systems. The flaw exists in the TIOCSPGRP ioctl handler where improper locking can lead to freed memory being accessed. All Linux systems running kernel versions through 5.9.13 are affected.

7.8 HIGH

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Linux kernel's tty subsystem that allows attackers to potentially escalate privileges or crash systems. The flaw exists in the TIOCSPGRP ioctl handler where improper locking can lead to freed memory being accessed. All Linux systems running kernel versions through 5.9.13 are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: All versions through 5.9.13

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to tty devices, typically available to local users. Container environments may limit exposure if tty access is restricted.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Linux Kernel by Linux

Learn more about Linux Kernel →

Solidfire Baseboard Management Controller Firmware by Netapp

View all CVEs affecting Solidfire Baseboard Management Controller Firmware →

Tekelec Platform Distribution by Oracle

View all CVEs affecting Tekelec Platform Distribution →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to root, kernel panic leading to denial of service, or potential information disclosure from kernel memory

🟠

Likely Case

Local privilege escalation allowing unprivileged users to gain root access on vulnerable systems

🟢

If Mitigated

Limited impact with proper access controls and SELinux/AppArmor restrictions on tty device access

🌐 Internet-Facing: LOW - Requires local access to exploit, not directly reachable via network

🏢 Internal Only: HIGH - Any local user or compromised service account could exploit this for privilege escalation

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and knowledge of kernel exploitation techniques. Public exploit code exists in security advisories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.9.14 and later, or distributions' backported patches

Vendor Advisory: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=54ffccbf053b5b6ca4f6e45094b942fab92a25fc

Restart Required: Yes

Instructions:

1. Update kernel package using distribution's package manager (apt/yum/dnf). 2. Reboot system to load new kernel. 3. Verify kernel version after reboot.

🔧 Temporary Workarounds

Restrict tty device access

linux

Limit access to tty devices using filesystem permissions or mandatory access controls

chmod 600 /dev/tty*
chown root:root /dev/tty*

Use kernel live patching

linux

Apply kernel live patch without reboot if supported by distribution

sudo ua attach <livepatch-token>
sudo canonical-livepatch enable <machine-token>

🧯 If You Can't Patch

Implement strict access controls on /dev/tty devices
Use SELinux/AppArmor to restrict tty ioctl operations

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is 5.9.13 or earlier, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

After patching, verify kernel version is 5.9.14 or later, or check if distribution-specific patch is applied via package manager.

📡 Detection & Monitoring

Log Indicators:

Kernel oops messages
System crashes/reboots
Unusual privilege escalation attempts

Network Indicators:

None - local exploit only

SIEM Query:

source="kernel" AND ("Oops" OR "general protection fault" OR "use-after-free") AND "tty"

📊 Metadata

CVE ID: CVE-2020-29661

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: December 9, 2020

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/160681/Linux-TIOCSPGRP-Broken-Locking.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/164950/Kernel-Live-Patch-Security-Notice-LSN-0082-1.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2020/12/10/1 Mailing List,Patch,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=54ffccbf053b5b6ca4f6e45094b942fab92a25fc Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BOB25SU6XUL4TNP7KB63WNZSYTIYFDPP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZ7OAKAEFAXQRGBZK4LYUWINCD3D2XCL/
https://security.netapp.com/advisory/ntap-20210122-0001/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4843 Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory
http://packetstormsecurity.com/files/160681/Linux-TIOCSPGRP-Broken-Locking.html Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/164950/Kernel-Live-Patch-Security-Notice-LSN-0082-1.html Third Party Advisory,VDB Entry
http://www.openwall.com/lists/oss-security/2020/12/10/1 Mailing List,Patch,Third Party Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=54ffccbf053b5b6ca4f6e45094b942fab92a25fc Patch,Vendor Advisory
https://lists.debian.org/debian-lts-announce/2021/02/msg00018.html Mailing List,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2021/03/msg00010.html Mailing List,Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BOB25SU6XUL4TNP7KB63WNZSYTIYFDPP/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/MZ7OAKAEFAXQRGBZK4LYUWINCD3D2XCL/
https://security.netapp.com/advisory/ntap-20210122-0001/ Third Party Advisory
https://www.debian.org/security/2021/dsa-4843 Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html Patch,Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

8300 Firmware by Netapp

8700 Firmware by Netapp

A400 Firmware by Netapp

A700s Firmware by Netapp

Active Iq Unified Manager by Netapp

Debian Linux by Debian

Debian Linux by Debian

Fabric Operating System by Broadcom

Fedora by Fedoraproject

Fedora by Fedoraproject

H410c Firmware by Netapp

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Linux Kernel by Linux

Solidfire Baseboard Management Controller Firmware by Netapp

Tekelec Platform Distribution by Oracle

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict tty device access

Use kernel live patching

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities