CVE-2020-36385 – This CVE describes a use-after-free vulnerabili... (How to Fix)

Q: What is the severity of CVE-2020-36385?

CVE-2020-36385 has a CVSS score of 7.8 (HIGH). This CVE describes a use-after-free vulnerability in the Linux kernel's InfiniBand subsystem (ucma.c). Attackers with local access can exploit this to cause kernel crashes or potentially execute arbitrary code with kernel privileges. Systems running Linux kernels before version 5.10 with InfiniBand support are affected.

📋 TL;DR

This CVE describes a use-after-free vulnerability in the Linux kernel's InfiniBand subsystem (ucma.c). Attackers with local access can exploit this to cause kernel crashes or potentially execute arbitrary code with kernel privileges. Systems running Linux kernels before version 5.10 with InfiniBand support are affected.

💻 Affected Systems

Products:

Linux kernel

Versions: All versions before 5.10

Operating Systems: Linux distributions using affected kernel versions

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems with InfiniBand support enabled (CONFIG_INFINIBAND). Many cloud providers and HPC clusters use InfiniBand.

📦 What is this software?

Linux Kernel by Linux

The Linux Kernel is the core component of the Linux operating system, serving as the critical interface between computer hardware and software processes. As the heart of millions of servers, cloud infrastructure, embedded systems, Android devices, and IoT deployments worldwide, the Linux Kernel mana...

Learn more about Linux Kernel →

Starwind San \& Nas by Starwindsoftware

View all CVEs affecting Starwind San \& Nas →

Starwind Virtual San by Starwindsoftware

View all CVEs affecting Starwind Virtual San →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Local privilege escalation to kernel-level code execution, potentially leading to full system compromise.

🟠

Likely Case

Kernel panic leading to denial of service (system crash).

🟢

If Mitigated

Limited to denial of service if exploit attempts are detected and blocked.

🌐 Internet-Facing: LOW - This requires local access to the system.

🏢 Internal Only: MEDIUM - Internal users with shell access could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit requires local access and knowledge of kernel exploitation techniques. Syzbot has demonstrated proof-of-concept crashes.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Linux kernel 5.10 and later

Vendor Advisory: https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10

Restart Required: Yes

Instructions:

1. Update Linux kernel to version 5.10 or later. 2. For distributions: Use package manager (apt/yum/dnf) to install latest kernel. 3. Reboot system to load new kernel.

🔧 Temporary Workarounds

Disable InfiniBand support

linux

Remove InfiniBand kernel module if not needed

modprobe -r ib_ucm
echo 'blacklist ib_ucm' >> /etc/modprobe.d/blacklist.conf

🧯 If You Can't Patch

Restrict local user access to systems with InfiniBand enabled
Implement strict SELinux/AppArmor policies to limit kernel module interactions

🔍 How to Verify

Check if Vulnerable:

Check kernel version: uname -r. If version is < 5.10 and InfiniBand is enabled, system is vulnerable.

Check Version:

uname -r

Verify Fix Applied:

Verify kernel version is >= 5.10 with uname -r and check that system remains stable after InfiniBand operations.

📡 Detection & Monitoring

Log Indicators:

Kernel panic messages in /var/log/messages or dmesg
OOM killer activity related to kernel memory

Network Indicators:

Unusual InfiniBand traffic patterns from local users

SIEM Query:

source="kernel" AND ("panic" OR "Oops" OR "general protection fault") AND process="ucma"

📊 Metadata

CVE ID: CVE-2020-36385

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-416

Published: June 7, 2021

Last Updated: November 21, 2024

🔗 References

https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10 Release Notes,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5449e74802c1112dea984aec8af7a33c4516af1 Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210720-0004/ Third Party Advisory
https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-ucma_close-2 Patch,Third Party Advisory
https://syzkaller.appspot.com/bug?id=457491c4672d7b52c1007db213d93e47c711fae6 Patch,Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220802-0002/ Third Party Advisory
https://cdn.kernel.org/pub/linux/kernel/v5.x/ChangeLog-5.10 Release Notes,Vendor Advisory
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f5449e74802c1112dea984aec8af7a33c4516af1 Patch,Vendor Advisory
https://security.netapp.com/advisory/ntap-20210720-0004/ Third Party Advisory
https://sites.google.com/view/syzscope/kasan-use-after-free-read-in-ucma_close-2 Patch,Third Party Advisory
https://syzkaller.appspot.com/bug?id=457491c4672d7b52c1007db213d93e47c711fae6 Patch,Third Party Advisory
https://www.starwindsoftware.com/security/sw-20220802-0002/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-36385, you might also want to check these: