Bugzilla – Bug 1100331
VUL-1: CVE-2018-10892: docker: container breakout without selinux in enforcing mode
Last modified: 2020-06-11 12:19:19 UTC
via rh bug The deafult OCI linux spec in oci/defaults{_linux}.go in Docker/Moby from 1.11 to current does not block /proc/acpi pathnames. The flaw allows an attacker to modify host's hardware like enabling/disabling bluetooth or turning up/down keyboard brightness. References: https://bugzilla.redhat.com/show_bug.cgi?id=1598581 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-10892
We are protected against this bug by the default appArmor profile of Docker. We will monitor what upstream does and may backport the patch.
The default AppArmor profile (which is applied in enforcing mode) appears to defend against this attack (in fact it protects against writes to all files in /proc that aren't inside /proc/<pid> or /proc/sys): % docker run --rm -it opensuse/tumbleweed bash # echo > /proc/acpi/wakeup bash: /proc/acpi/wakeup: Permission denied I believe the reason why RH considers this to be a problem is because they don't have AppArmor on RHEL (since you can only use a single LSM at a time). So if you disable SELinux there's no protection. I've found that you can actually 'touch' the files in /proc/acpi but I don't believe this is a security problem (though maybe allowing chtimes is a bug in AppArmor).
(In reply to Valentin Rothberg from comment #1) > We are protected against this bug by the default appArmor profile of Docker. > We will monitor what upstream does and may backport the patch. https://github.com/moby/moby/pull/37404 is the patch. Basically it just does the obvious thing and adds /proc/acpi to maskedPaths.
There is also a separate (unrelated) patch to mask /proc/keys[1]. I really don't like how the masking implementation is a blacklist because it just leads to this type of silly CVE race (we had /proc/scsi just a few months ago). The default AppArmor profile defends against this too, but it should be noted when we backport this we should also backport [1]. (As an aside, "container breakout" is not the correct term for this vulnerability as there's no host-side code execution. But that's water under the bridge.) [1]: https://github.com/moby/moby/pull/36368
yes, blacklisting is definitely the wrong approach. Lowering to VUL-1 due to AppArmor mittigation
The fix for this is in the 18.09.x update (though it looks like we didn't include the CVE for it in the changelog because it was mitigated by the default configuration). I will send an update to the docker changelog to include the reference, but this can be closed.
SUSE-SU-2019:2117-1: An update that solves four vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409 CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): containerd-1.2.6-5.16.1, containerd-kubic-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-kubic-19.03.1_ce-6.26.2, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1 SUSE Linux Enterprise Module for Containers 15-SP1 (src): containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1 SUSE Linux Enterprise Module for Containers 15 (src): containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2119-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1100331,1121967,1142160,1142413,1143409 CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 Sources used: SUSE OpenStack Cloud 6-LTSS (src): containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE CaaS Platform 3.0 (src): containerd-kubic-1.2.6-16.23.1, docker-kubic-19.03.1_ce-98.46.1, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2021-1: An update that solves four vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409 CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 Sources used: openSUSE Leap 15.1 (src): containerd-1.2.6-lp151.2.6.1, docker-19.03.1_ce-lp151.2.12.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.0 (src): containerd-1.2.6-lp150.4.17.1, docker-19.03.1_ce-lp150.5.27.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp150.5.25.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp150.3.18.1
This can be closed now