SB2020050907 - Resource exhaustion in Linux kernel

Description

This security bulletin contains information about 1 security vulnerability.

1) Resource exhaustion (CVE-ID: CVE-2019-20794)

The vulnerability allows a local user to perform a denial of service (DoS) attack.

An issue was discovered in the Linux kernel 4.18 through 5.6.11 when unprivileged user namespaces are allowed. A user can create their own PID namespace, and mount a FUSE filesystem. Upon interaction with this FUSE filesystem, if the userspace component is terminated via a kill of the PID namespace's pid 1, it will result in a hung task, and resources being permanently locked up until system reboot. This can result in resource exhaustion.

Remediation

Install update from vendor's website.

References

• https://github.com/sargun/fuse-example
• https://sourceforge.net/p/fuse/mailman/message/36598753/
• https://security.netapp.com/advisory/ntap-20200608-0001/
• http://www.openwall.com/lists/oss-security/2020/08/24/1