Bug 1018892 – VUL-0: CVE-2016-10124: lxc: escape to parent session via TIOCSTI ioctl in lxc-attach

Bug 1018892 - (CVE-2016-10124) VUL-0: CVE-2016-10124: lxc: escape to parent session via TIOCSTI ioctl in lxc-attach

(CVE-2016-10124)
Summary:	VUL-0: CVE-2016-10124: lxc: escape to parent session via TIOCSTI ioctl in lxc...

Status:	RESOLVED WONTFIX

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Cédric Bosdonnat
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/178335/
Whiteboard:	CVSSv2:SUSE:CVE-2016-10124:4.6:(AV:L/...
Keywords:

Depends on:	CVE-2016-2779
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-01-09 15:31 UTC by Andreas Stieger
Modified:	2017-07-28 14:51 UTC (History)
CC List:	6 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Stieger 2017-01-09 15:31:55 UTC

lxec when executing a program via lxc-attach, a nonpriv session can escape to the parent session by using the TIOCSTI ioctl to push characters into the terminal's input buffer, allowing an attacker to escape the container.

https://github.com/lxc/lxc/pull/825
https://github.com/lxc/lxc/commit/cee1de17853511bea4e7e0a99de3649b5eed176e

optional:
https://github.com/lxc/lxc/pull/835
https://github.com/lxc/lxc/commit/82d97f87655222524ad583033b0ec9b778e2ddbc


related:
https://github.com/lxc/lxc/pull/839
https://github.com/lxc/lxc/commit/b5c8400909b863bd4b260fa45a947f652c83d5fd

related?
https://github.com/lxc/lxc/pull/849
https://github.com/lxc/lxc/commit/ad6ea0348c1476a9c57bdd6e25ddb08728a5453a


doc:
https://github.com/lxc/lxc/commit/e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6
https://github.com/lxc/lxc/commit/b5c8400909b863bd4b260fa45a947f652c83d5fd


References:
https://bugzilla.redhat.com/show_bug.cgi?id=1411256
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-10124
https://github.com/lxc/lxc/commit/e986ea3dfa4a2957f71ae9bfaed406dd6e1ffff6

Comment 1 Swamp Workflow Management 2017-01-09 23:00:51 UTC

bugbot adjusting priority

Comment 2 Cédric Bosdonnat 2017-01-10 08:20:23 UTC

There is way too much difference between lxc master and our latest supported version (0.8.0) in SLES. This series can't be backported.

Comment 3 Marcus Meissner 2017-01-13 08:53:47 UTC

we have several TIOCSTI bugs ... bug 968674  is the one with some thoughts on how to address it. 

But there is no good solution at this time in general.

Comment 4 Marcus Meissner 2017-01-13 08:56:02 UTC

The part
setsid();
if (ioctl(slave, TIOCSCTTY, NULL) < 0)

would be the core of the fix... so there is an approach, just the patch is very large :/

Comment 5 Cédric Bosdonnat 2017-03-24 08:38:56 UTC

Andreas, I'm not planning to backport such a giant thing to the super old lxc that we have on SLE 11. It would be rather risky and complex. Could this bug be closed?

Comment 6 Johannes Segitz 2017-03-29 13:03:30 UTC

(In reply to Cédric Bosdonnat from comment #5)
No, unfortunately not. It's supported, so we need to fix it. Maybe we can go the route that Marcus proposed and use a minimal patch?

Comment 7 Johannes Kastl 2017-04-10 06:10:47 UTC

I'll prepare packages for openSUSE in the meantime, but my last submit request is still open...

Comment 10 Johannes Segitz 2017-07-28 12:35:57 UTC

This scenario is not supported in SLE 11 (see release notes) and fixing it would be a major effort and a high risk of introducing regression.s