Headline
GHSA-g2j6-57v7-gm8c: runc AppArmor bypass with symlinked /proc
Impact
It was found that AppArmor, and potentially SELinux, can be bypassed when /proc
inside the container is symlinked with a specific mount configuration.
Patches
Fixed in runc v1.1.5, by prohibiting symlinked /proc
: https://github.com/opencontainers/runc/pull/3785
This PR fixes CVE-2023-27561 as well.
Workarounds
Avoid using an untrusted container image.
Package
gomod github.com/opencontainers/runc (Go)
Affected versions
< 1.1.5
Patched versions
1.1.5
Description
Impact
It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration.
Patches
Fixed in runc v1.1.5, by prohibiting symlinked /proc: opencontainers/runc#3785
This PR fixes CVE-2023-27561 as well.
Workarounds
Avoid using an untrusted container image.
References
- GHSA-g2j6-57v7-gm8c
- https://nvd.nist.gov/vuln/detail/CVE-2023-28642
- opencontainers/runc#3785
cyphar published to opencontainers/runc
Mar 29, 2023
Published by the National Vulnerability Database
Mar 29, 2023
Published to the GitHub Advisory Database
Mar 30, 2023
Reviewed
Mar 30, 2023
Last updated
Mar 30, 2023
Related news
Gentoo Linux Security Advisory 202408-25 - Multiple vulnerabilities have been discovered in runc, the worst of which could lead to privilege escalation. Versions greater than or equal to 1.1.12 are affected.
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog. This issue affects Docker Desktop: before 4.12.0.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Ubuntu Security Notice 6088-1 - It was discovered that runC incorrectly made /sys/fs/cgroup writable when in rootless mode. An attacker could possibly use this issue to escalate privileges. It was discovered that runC incorrectly performed access control when mounting /proc to non-directories. An attacker could possibly use this issue to escalate privileges. It was discovered that runC incorrectly handled /proc and /sys mounts inside a container. An attacker could possibly use this issue to bypass AppArmor, and potentially SELinux.
Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image.