Headline
CVE-2021-41103: Merge pull request from GHSA-c2h3-6mxw-7mvq · containerd/containerd@5b46e40
containerd is an open source container runtime with an emphasis on simplicity, robustness and portability. A bug was found in containerd where container root directories and some plugins had insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. When the UID of an unprivileged Linux user on the host collided with the file owner or group inside a container, the unprivileged Linux user on the host could discover, read, and modify those files. This vulnerability has been fixed in containerd 1.4.11 and containerd 1.5.7. Users should update to these version when they are released and may restart containers or update directory permissions to mitigate the vulnerability. Users unable to update should limit access to the host to trusted users. Update directory permission on container bundles directories.
@@ -0,0 +1,166 @@ //go:build linux // +build linux
/* Copyright The containerd Authors. Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. */
package linux
import ( “encoding/json” “fmt” “io/ioutil” “os” “path/filepath” “strconv” “syscall” “testing”
“github.com/containerd/containerd/oci” “github.com/containerd/continuity/testutil” “github.com/opencontainers/runtime-spec/specs-go” )
func TestNewBundle(t *testing.T) { testutil.RequiresRoot(t) tests := []struct { userns bool }{{ userns: false, }, { userns: true, }} const usernsGID = 4200
for i, tc := range tests { t.Run(strconv.Itoa(i), func(t *testing.T) { dir, err := ioutil.TempDir("", “test-new-bundle”) if err != nil { t.Fatal("failed to create test directory", err) } defer os.RemoveAll(dir) work := filepath.Join(dir, “work”) state := filepath.Join(dir, “state”) id := fmt.Sprintf("new-bundle-%d", i) spec := oci.Spec{} if tc.userns { spec.Linux = &specs.Linux{ GIDMappings: []specs.LinuxIDMapping{{ContainerID: 0, HostID: usernsGID}}, } } specBytes, err := json.Marshal(&spec) if err != nil { t.Fatal("failed to marshal spec", err) }
b, err := newBundle(id, work, state, specBytes) if err != nil { t.Fatal("newBundle should succeed", err) } if b == nil { t.Fatal(“bundle should not be nil”) }
fi, err := os.Stat(b.path) if err != nil { t.Error("should be able to stat bundle path", err) } if tc.userns { if fi.Mode() != os.ModeDir|0710 { t.Error(“bundle path should be a directory with perm 0710”) } } else { if fi.Mode() != os.ModeDir|0700 { t.Error(“bundle path should be a directory with perm 0700”) } } stat, ok := fi.Sys().(*syscall.Stat_t) if !ok { t.Fatal(“should assert to *syscall.Stat_t”) } expectedGID := uint32(0) if tc.userns { expectedGID = usernsGID } if stat.Gid != expectedGID { t.Error("gid should match", expectedGID, stat.Gid) } }) } }
func TestRemappedGID(t *testing.T) { tests := []struct { spec oci.Spec gid uint32 }{{ // empty spec spec: oci.Spec{}, gid: 0, }, { // empty Linux section spec: oci.Spec{ Linux: &specs.Linux{}, }, gid: 0, }, { // empty ID mappings spec: oci.Spec{ Linux: &specs.Linux{ GIDMappings: make([]specs.LinuxIDMapping, 0), }, }, gid: 0, }, { // valid ID mapping spec: oci.Spec{ Linux: &specs.Linux{ GIDMappings: []specs.LinuxIDMapping{{ ContainerID: 0, HostID: 1000, }}, }, }, gid: 1000, }, { // missing ID mapping spec: oci.Spec{ Linux: &specs.Linux{ GIDMappings: []specs.LinuxIDMapping{{ ContainerID: 100, HostID: 1000, }}, }, }, gid: 0, }}
for i, tc := range tests { t.Run(strconv.Itoa(i), func(t *testing.T) { s, err := json.Marshal(tc.spec) if err != nil { t.Fatal("failed to marshal spec", err) } gid, err := remappedGID(s) if err != nil { t.Error("should unmarshal successfully", err) } if gid != tc.gid { t.Error("expected GID to match", tc.gid, gid) } }) } }
Related news
Gentoo Linux Security Advisory 202401-31 - Multiple vulnerabilities have been found in containerd, the worst of which could result in privilege escalation. Versions greater than or equal to 1.6.14 are affected.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Red Hat Security Advisory 2022-6517-01 - Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.
Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41103: containerd: insufficiently restricted permissions on container root and plugin directories * CVE-2022-30631: golang: compress/gzip: stack exhaustion in Reader.Read
Red Hat Security Advisory 2022-5673-01 - Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview. Issues addressed include a code execution vulnerability.
Red Hat OpenStack Platform 16.2 (Train) director operator containers, with several Important security fixes, are available for technology preview.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-41103: containerd: insufficiently restricted permissions on container root and plugin directories * CVE-2021-43565: golang.org/x/crypto: empty plaintext packet causes panic * CVE-2022-26945: go-getter: command injection vulnerability * CVE-2022-30321: go-getter: unsafe download (issue 1 of 3) * CVE-2022-30322: go-getter: unsafe download (issue 2 of 3) * CVE-2022-30323: go-getter: unsafe download (issue 3 of 3)
Dell Unity, Dell UnityVSA, and Dell Unity XT versions prior to 5.2.0.0.5.173 contain a plain-text password storage vulnerability when certain off-array tools are run on the system. The credentials of a user with high privileges are stored in plain text. A local malicious user with high privileges may use the exposed password to gain access with the privileges of the compromised user.
In Docker before versions 9.03.15, 20.10.3 there is a vulnerability in which pulling an intentionally malformed Docker image manifest crashes the dockerd daemon. Versions 20.10.3 and 19.03.15 contain patches that prevent the daemon from crashing.