CVE-2020-25645 Overview
A flaw was found in the Linux kernel in versions before 5.9-rc7 that allows traffic between two Geneve endpoints to be transmitted unencrypted when IPsec is configured to encrypt traffic for the specific UDP port used by the GENEVE tunnel. This cleartext transmission vulnerability enables anyone positioned between the two endpoints to read the traffic unencrypted, resulting in a significant data confidentiality breach. The vulnerability stems from improper handling of IPsec encryption for Geneve tunnel traffic, classified as CWE-319 (Cleartext Transmission of Sensitive Information).
Critical Impact
Network traffic between Geneve tunnel endpoints may be transmitted in cleartext despite IPsec encryption configuration, allowing network-level attackers to intercept and read sensitive data.
Affected Products
- Linux Kernel (versions before 5.9-rc7, including 5.9.0-rc1 through 5.9.0-rc6)
- Debian Linux 9.0 and 10.0
- Canonical Ubuntu Linux 14.04 ESM, 16.04 LTS, 18.04 LTS, and 20.04 LTS
- openSUSE Leap 15.1 and 15.2
- NetApp SolidFire & HCI Management Node
- NetApp SolidFire & HCI Storage Node
- NetApp HCI Compute Node
Discovery Timeline
- October 13, 2020 - CVE-2020-25645 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2020-25645
Vulnerability Analysis
This vulnerability exists in the Linux kernel's handling of IPsec encryption for Geneve (Generic Network Virtualization Encapsulation) tunnels. Geneve is a network virtualization encapsulation protocol that provides flexible tunneling for virtual network overlays, commonly used in software-defined networking (SDN) and cloud environments. The flaw occurs when IPsec is configured to encrypt traffic on the specific UDP port utilized by Geneve tunnels (typically UDP port 6081).
Under normal circumstances, IPsec should encrypt all traffic matching its configured policies, including Geneve-encapsulated packets. However, due to this implementation flaw, the kernel fails to properly apply IPsec encryption to Geneve tunnel traffic, resulting in packets being transmitted in cleartext across the network. This creates a significant exposure window where sensitive virtual network traffic can be intercepted by any entity with network visibility between the two Geneve endpoints.
Root Cause
The root cause lies in the Linux kernel's network stack handling of Geneve tunnel packets in conjunction with IPsec policies. The vulnerability is classified as CWE-319 (Cleartext Transmission of Sensitive Information), indicating that the kernel improperly transmits data that should be protected by encryption. The IPsec subsystem fails to recognize or properly process packets destined for or originating from Geneve tunnel interfaces, causing them to bypass the encryption routines despite matching IPsec policy configurations.
Attack Vector
The attack vector for this vulnerability is network-based and does not require authentication or user interaction. An attacker must be positioned on the network path between two Geneve endpoints to exploit this vulnerability. The attack methodology involves:
- Identifying Geneve tunnel endpoints within the target network infrastructure
- Positioning network capture capabilities between the endpoints (e.g., through ARP spoofing, rogue network device, or compromised intermediate router)
- Passively capturing traffic on the Geneve UDP port (default 6081)
- Reading the unencrypted tunnel payload data that should have been protected by IPsec
The attack is passive in nature, meaning no malicious packets need to be injected—simply capturing and analyzing the cleartext traffic is sufficient for data exfiltration. This makes the attack difficult to detect through traditional intrusion detection methods.
Detection Methods for CVE-2020-25645
Indicators of Compromise
- Unencrypted traffic observed on Geneve UDP port 6081 when IPsec encryption should be active
- ESP (Encapsulating Security Payload) headers missing from Geneve tunnel traffic despite IPsec policy configuration
- Network monitoring alerts indicating cleartext transmission of virtual network overlay traffic
- Unexpected plaintext data visible in packet captures between Geneve tunnel endpoints
Detection Strategies
- Deploy network monitoring to analyze traffic patterns between known Geneve endpoints and verify ESP encapsulation is present
- Implement packet inspection rules to detect cleartext Geneve traffic on UDP port 6081 when IPsec is configured
- Audit Linux kernel versions across infrastructure to identify systems running vulnerable versions (before 5.9-rc7)
- Use kernel version detection in vulnerability scanning tools to flag affected systems
Monitoring Recommendations
- Enable logging for IPsec policy matches and verify Geneve traffic is being processed by IPsec subsystem
- Configure network intrusion detection systems (IDS) to alert on unencrypted Geneve tunnel payloads
- Implement continuous kernel version monitoring across containerized and virtualized infrastructure
- Deploy SentinelOne Singularity Platform for real-time kernel vulnerability detection and runtime protection
How to Mitigate CVE-2020-25645
Immediate Actions Required
- Update the Linux kernel to version 5.9-rc7 or later to receive the security fix
- Apply vendor-specific patches from Debian, Ubuntu, openSUSE, or other distribution maintainers
- Review and verify IPsec configurations for Geneve tunnel deployments
- Implement network segmentation to limit exposure of Geneve tunnel traffic to untrusted network segments
- Consider temporary use of application-layer encryption (e.g., TLS) for sensitive workloads until patching is complete
Patch Information
The vulnerability is addressed in Linux kernel version 5.9-rc7 and subsequent releases. Multiple Linux distributions have released security updates addressing this issue:
- Debian: Security advisory DSA-4774 provides patched packages for affected Debian releases
- Ubuntu: Canonical has released updates for Ubuntu 14.04 ESM, 16.04 LTS, 18.04 LTS, and 20.04 LTS
- openSUSE: Security announcements available for Leap 15.1 and 15.2 with updated kernel packages
- NetApp: Advisory NTAP-20201103-0004 details affected NetApp products and remediation
- Red Hat: Bug tracking and patch information available via Red Hat Bugzilla Report
- Kernel Live Patch: Available through Packet Storm Security Notice LSN-0074-1 for supported systems
Workarounds
- Implement additional network-layer encryption independent of IPsec for Geneve tunnel traffic
- Deploy network access controls to restrict which hosts can communicate over Geneve tunnels
- Use alternative tunneling protocols that properly integrate with IPsec until the kernel is patched
- Isolate Geneve tunnel endpoints on dedicated, trusted network segments to minimize interception risk
# Verify current kernel version and check if vulnerable
uname -r
# Check for available kernel updates (Debian/Ubuntu)
apt update && apt list --upgradable | grep linux-image
# Apply kernel updates (Debian/Ubuntu)
apt upgrade linux-image-$(uname -r | sed 's/[0-9.-]*$//')*
# Verify IPsec policy configuration for Geneve UDP port
ip xfrm policy show | grep -A5 "sport 6081\|dport 6081"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
