CVE-2020-28374

Public on 2021-01-13

Modified on 2021-02-19

Description

A flaw was found in the Linux kernel's implementation of the Linux SCSI target host, where an authenticated attacker could write to any block on the exported SCSI device backing store. This flaw allows an authenticated attacker to send LIO block requests to the Linux system to overwrite data on the backing store. The highest threat from this vulnerability is to integrity. In addition, this flaw affects the tcmu-runner package, where the affected SCSI command is called.

Severity

Important

See what this means

CVSS v3 Base Score

8.1

See breakdown

Affected Packages

Platform	Package	Release Date	Advisory
Amazon Linux 1	kernel	2021-02-16 00:13	ALAS-2021-1480
Amazon Linux 2 - Core	kernel	2021-02-17 18:07	ALAS2-2021-1600
Amazon Linux 2 - Kernel-5.4 Extra	kernel	2022-01-20 19:53	ALAS2KERNEL-5.4-2022-019
Amazon Linux 2 - Livepatch Extra	kernel-livepatch-4.14.203-156.332	2021-02-03 00:11	ALAS2LIVEPATCH-2021-035
Amazon Linux 2 - Livepatch Extra	kernel-livepatch-4.14.209-160.335	2021-02-03 00:11	ALAS2LIVEPATCH-2021-036
Amazon Linux 2 - Livepatch Extra	kernel-livepatch-4.14.209-160.339	2021-02-03 00:11	ALAS2LIVEPATCH-2021-037
Amazon Linux 2 - Livepatch Extra	kernel-livepatch-4.14.214-160.339	2021-02-03 00:11	ALAS2LIVEPATCH-2021-038

CVSS Scores

	Score Type	Score	Vector
Amazon Linux	CVSSv3	8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
NVD	CVSSv2	5.5	AV:N/AC:L/Au:S/C:P/I:P/A:N
NVD	CVSSv3	8.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

References

Red Hat: CVE-2020-28374 Mitre: CVE-2020-28374 FAQs regarding Amazon Linux ALAS/CVE Severity