SB2020091303 - Incorrect authorization in Linux kernel block driver
Published: September 13, 2020
Security Bulletin ID
SB2020091303
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Local access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Incorrect authorization (CVE-ID: CVE-2020-25284)
The vulnerability allows a local privileged user to manipulate data.
The vulnerability exists due to incorrect authorization error within the rbd_config_info_show(), rbd_image_refresh(), do_rbd_add() and do_rbd_remove() functions in drivers/block/rbd.c. A local privileged user can manipulate data.
Remediation
Install update from vendor's website.
References
- https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f44d04e696feaf13d192d942c4f14ad2e117065a
- https://twitter.com/grsecurity/status/1304537507560919041
- https://lists.debian.org/debian-lts-announce/2020/09/msg00025.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00001.html
- http://lists.opensuse.org/opensuse-security-announce/2020-10/msg00021.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00034.html
- https://lists.debian.org/debian-lts-announce/2020/10/msg00032.html