Headline
GHSA-m8cg-xc2p-r3fc: rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc
Impact
It was found that rootless runc makes /sys/fs/cgroup
writable in following conditons:
- when runc is executed inside the user namespace, and the
config.json
does not specify the cgroup namespace to be unshared (e.g…,(docker|podman|nerdctl) run --cgroupns=host
, with Rootless Docker/Podman/nerdctl) - or, when runc is executed outside the user namespace, and
/sys
is mounted withrbind, ro
(e.g.,runc spec --rootless
; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/...
on the host .
Other users’s cgroup hierarchies are not affected.
Patches
v1.1.5 (planned)
Workarounds
- Condition 1: Unshare the cgroup namespace (
(docker|podman|nerdctl) run --cgroupns=private)
. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. - Condition 2 (very rare): add
/sys/fs/cgroup
tomaskedPaths
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-25809
rootless: `/sys/fs/cgroup` is writable when cgroupns isn’t unshared in runc
Low severity GitHub Reviewed Published Mar 29, 2023 in opencontainers/runc • Updated Mar 30, 2023
Package
gomod github.com/opencontainers/runc (Go)
Affected versions
< 1.1.5
Impact
It was found that rootless runc makes /sys/fs/cgroup writable in following conditons:
- when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g…, (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl)
- or, when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare)
A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/… on the host .
Other users’s cgroup hierarchies are not affected.
Patches
v1.1.5 (planned)
Workarounds
- Condition 1: Unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.
- Condition 2 (very rare): add /sys/fs/cgroup to maskedPaths
References
- GHSA-m8cg-xc2p-r3fc
- https://nvd.nist.gov/vuln/detail/CVE-2023-25809
- opencontainers/runc@0d62b95
Published to the GitHub Advisory Database
Mar 30, 2023
Last updated
Mar 30, 2023
Related news
Gentoo Linux Security Advisory 202408-25 - Multiple vulnerabilities have been discovered in runc, the worst of which could lead to privilege escalation. Versions greater than or equal to 1.1.12 are affected.
Docker Desktop before 4.23.0 allows Access Token theft via a crafted extension icon URL. This issue affects Docker Desktop: before 4.23.0.
Docker Desktop before 4.12.0 is vulnerable to RCE via a crafted extension description or changelog. This issue affects Docker Desktop: before 4.12.0.
Dell VxRail, version(s) 8.0.100 and earlier contain a denial-of-service vulnerability in the upgrade functionality. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to degraded performance and system malfunction.
Ubuntu Security Notice 6088-1 - It was discovered that runC incorrectly made /sys/fs/cgroup writable when in rootless mode. An attacker could possibly use this issue to escalate privileges. It was discovered that runC incorrectly performed access control when mounting /proc to non-directories. An attacker could possibly use this issue to escalate privileges. It was discovered that runC incorrectly handled /proc and /sys mounts inside a container. An attacker could possibly use this issue to bypass AppArmor, and potentially SELinux.
Red Hat Security Advisory 2023-1326-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution designed for on-premise or private cloud deployments. This advisory contains the container images for Red Hat OpenShift Container Platform 4.13.0. Issues addressed include bypass, denial of service, information leakage, out of bounds read, and remote SQL injection vulnerabilities.
Red Hat OpenShift Container Platform release 4.13.0 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.13. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4235: A flaw was found in go-yaml. This issue occurs due to unbounded alias chasing, where a maliciously crafted YAML file can cause the system to consume significant system resources. If p...
runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. Users unable to upgrade may unshare the cgroup namespace (`(docker|podman|nerdctl) run --cgroupns=private)`. This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. or add `/sys/fs/cgroup` to `m...