Bug 1100331 (CVE-2018-10892) - VUL-1: CVE-2018-10892: docker: container breakout without selinux in enforcing mode
Summary: VUL-1: CVE-2018-10892: docker: container breakout without selinux in enforcin...
Status: RESOLVED FIXED
Alias: CVE-2018-10892
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Build Containers Team OBS User
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/209639/
Whiteboard: CVSSv3:SUSE:CVE-2018-10892:6.3:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-07-06 04:47 UTC by Marcus Meissner
Modified: 2020-06-11 12:19 UTC (History)
6 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-07-06 04:47:00 UTC
via rh bug

The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby
from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling
bluetooth or turning up/down keyboard brightness.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1598581
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10892
Comment 1 Valentin Rothberg 2018-07-06 08:02:58 UTC
We are protected against this bug by the default appArmor profile of Docker. We will monitor what upstream does and may backport the patch.
Comment 2 Aleksa Sarai 2018-07-06 08:23:55 UTC
The default AppArmor profile (which is applied in enforcing mode) appears to defend against this attack (in fact it protects against writes to all files in /proc that aren't inside /proc/<pid> or /proc/sys):

  % docker run --rm -it opensuse/tumbleweed bash
  # echo > /proc/acpi/wakeup 
  bash: /proc/acpi/wakeup: Permission denied

I believe the reason why RH considers this to be a problem is because they don't have AppArmor on RHEL (since you can only use a single LSM at a time). So if you disable SELinux there's no protection.

I've found that you can actually 'touch' the files in /proc/acpi but I don't believe this is a security problem (though maybe allowing chtimes is a bug in AppArmor).
Comment 3 Aleksa Sarai 2018-07-06 10:47:17 UTC
(In reply to Valentin Rothberg from comment #1)
> We are protected against this bug by the default appArmor profile of Docker.
> We will monitor what upstream does and may backport the patch.

https://github.com/moby/moby/pull/37404 is the patch. Basically it just does the obvious thing and adds /proc/acpi to maskedPaths.
Comment 4 Aleksa Sarai 2018-07-09 04:11:08 UTC
There is also a separate (unrelated) patch to mask /proc/keys[1]. I really don't like how the masking implementation is a blacklist because it just leads to this type of silly CVE race (we had /proc/scsi just a few months ago). The default AppArmor profile defends against this too, but it should be noted when we backport this we should also backport [1].

(As an aside, "container breakout" is not the correct term for this vulnerability as there's no host-side code execution. But that's water under the bridge.)

[1]: https://github.com/moby/moby/pull/36368
Comment 5 Johannes Segitz 2018-09-13 08:45:42 UTC
yes, blacklisting is definitely the wrong approach. Lowering to VUL-1 due to AppArmor mittigation
Comment 7 Aleksa Sarai 2019-04-23 08:45:33 UTC
The fix for this is in the 18.09.x update (though it looks like we didn't include the CVE for it in the changelog because it was mitigated by the default configuration). I will send an update to the docker changelog to include the reference, but this can be closed.
Comment 12 Swamp Workflow Management 2019-08-13 16:10:34 UTC
SUSE-SU-2019:2117-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    containerd-1.2.6-5.16.1, containerd-kubic-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-kubic-19.03.1_ce-6.26.2, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Containers 15-SP1 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1
SUSE Linux Enterprise Module for Containers 15 (src):    containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Swamp Workflow Management 2019-08-13 16:13:22 UTC
SUSE-SU-2019:2119-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1100331,1121967,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
SUSE OpenStack Cloud 6-LTSS (src):    containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1
SUSE CaaS Platform 3.0 (src):    containerd-kubic-1.2.6-16.23.1, docker-kubic-19.03.1_ce-98.46.1, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2019-08-29 22:13:35 UTC
openSUSE-SU-2019:2021-1: An update that solves four vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409
CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736
Sources used:
openSUSE Leap 15.1 (src):    containerd-1.2.6-lp151.2.6.1, docker-19.03.1_ce-lp151.2.12.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1
openSUSE Leap 15.0 (src):    containerd-1.2.6-lp150.4.17.1, docker-19.03.1_ce-lp150.5.27.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp150.5.25.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp150.3.18.1
Comment 15 Flavio Castelli 2019-09-23 08:27:25 UTC
This can be closed now