Bug 1177598 - (CVE-2020-15157) VUL-0: CVE-2020-15157: containerd: credentials leaking during image pull
(CVE-2020-15157)
VUL-0: CVE-2020-15157: containerd: credentials leaking during image pull
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/269107/
CVSSv3.1:SUSE:CVE-2020-15157:6.1:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-10-12 16:42 UTC by Wolfgang Frisch
Modified: 2022-09-19 19:25 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 4 Wolfgang Frisch 2020-10-14 11:10:25 UTC
SUSE:SLE-12:Update  Affected
SUSE:SLE-15:Update  Affected
Comment 5 Aleksa Sarai 2020-10-14 15:15:47 UTC
We don't ship cri-containerd as far as I know, containerd is only used                                                                                                                                                                                                            
within the context of Docker which means that this vulnerability                                                                                                                                                                                                                  
shouldn't affect us. But we can include the patch anyway.
Comment 6 Marcus Meissner 2020-10-16 05:41:19 UTC
public via oss-sec

From: "Karp, Samuel" <skarp@amazon.com>
Subject: [oss-security] CVE-2020-15157: containerd v1.2.x can be coerced into leaking credentials during image pull

Impact

If a container image manifest in the OCI Image format or Docker Image
V2 Schema 2 format includes a URL for the location of a specific image
layer (otherwise known as a “foreign layer”), the default containerd
resolver will follow that URL to attempt to download it. In v1.2.x but
not 1.3.0 or later, the default containerd resolver will provide its
authentication credentials if the server where the URL is located
presents an HTTP 401 status code along with registry-specific HTTP
headers.

If an attacker publishes a public image with a manifest that directs
one of the layers to be fetched from a web server they control and they
trick a user or system into pulling the image, they can obtain the
credentials used for pulling that image. In some cases, this may be the
user's username and password for the registry. In other cases, this may
be the credentials attached to the cloud virtual instance which can
grant access to other cloud resources in the account.

The default containerd resolver is used by the cri-containerd plugin
(which can be used by Kubernetes), the ctr development tool, and other
client programs that have explicitly linked against it.


Patches

This vulnerability has been fixed in containerd 1.2.14 [1]. containerd
1.3 and later are not affected.


Workarounds

If you are using containerd 1.3 or later, you are not affected. If you
are using cri-containerd in the 1.2 series or prior, you should ensure
you only pull images from trusted sources. Other container runtimes
built on top of containerd but not using the default resolver (such as
Docker) are not affected.


Credits

The containerd maintainers would like to thank Brad Geesaman, Josh
Larsen, Ian Coldwater, Duffie Cooley, and Rory McCune for responsibly
disclosing this issue in accordance with the containerd security policy
[2].

For further details, see 
https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c

[1] https://github.com/containerd/containerd/releases/tag/v1.2.14
[2] https://github.com/containerd/project/blob/master/SECURITY.md
Comment 10 Swamp Workflow Management 2021-02-12 11:17:37 UTC
SUSE-SU-2021:0445-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1065609,1153367,1157330,1158590,1176708,1177598,1178801,1180401,1181730,1181732
CVE References: CVE-2020-15157,CVE-2021-21284,CVE-2021-21285
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.3.9-16.35.1, docker-19.03.15_ce-98.60.2, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-1.52.1, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-03-04 08:27:24 UTC
SUSE-SU-2022:23018-1: An update that solves 7 vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273
CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190
JIRA References: SLE-22714
Sources used:
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    conmon-2.0.30-150300.8.3.1, podman-3.4.4-150300.9.3.2
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1
SUSE Linux Enterprise Micro 5.1 (src):    conmon-2.0.30-150300.8.3.1, libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1, podman-3.4.4-150300.9.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-03-04 11:24:51 UTC
openSUSE-SU-2022:23018-1: An update that solves 7 vulnerabilities, contains one feature and has one errata is now available.

Category: security (moderate)
Bug References: 1176804,1177598,1181640,1182998,1188520,1188914,1193166,1193273
CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602,CVE-2021-4024,CVE-2021-41190
JIRA References: SLE-22714
Sources used:
openSUSE Leap 15.3 (src):    conmon-2.0.30-150300.8.3.1, libcontainers-common-20210626-150300.8.3.1, libseccomp-2.5.3-150300.10.5.1, podman-3.4.4-150300.9.3.2
Comment 13 Wolfgang Frisch 2022-03-29 13:45:40 UTC
Released.
Comment 14 Swamp Workflow Management 2022-09-19 19:25:42 UTC
SUSE-SU-2022:3312-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1176804,1177598,1181640,1182998,1188520,1189893
CVE References: CVE-2020-14370,CVE-2020-15157,CVE-2021-20199,CVE-2021-20291,CVE-2021-3602
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Manager Retail Branch Server 4.1 (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Manager Proxy 4.1 (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Enterprise Storage 7 (src):    libcontainers-common-20210626-150100.3.15.1
SUSE Enterprise Storage 6 (src):    libcontainers-common-20210626-150100.3.15.1
SUSE CaaS Platform 4.0 (src):    libcontainers-common-20210626-150100.3.15.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.