Bugzilla – Bug 1178969
VUL-0: CVE-2020-15257: containerd: Use path based unix socket for shims
Last modified: 2021-02-12 05:17:02 UTC
Created attachment 843726 [details] containerd-1.3-Fix-CVE-2020-15257.patch containerd-1.3-Fix-CVE-2020-15257.patch
Created attachment 843727 [details] containerd-1.4-Fix-CVE-2020-15257.patch containerd-1.4-Fix-CVE-2020-15257.patch
public via oss-sec From: "Karp, Samuel" <skarp@amazon.com> Subject: [oss-security] CVE-2020-15257: containerd-shim API exposed to host network containers Impact Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. Patches This vulnerability has been fixed in containerd 1.3.9 [1] and 1.4.3 [2]. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. Workarounds If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with `docker run --net=host` or `hostNetwork: true` in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to `deny unix addr=@**,` to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container. Credits The containerd maintainers would like to thank Jeff Dileo of NCC Group for responsibly disclosing this issue in accordance with the containerd security policy [3] and for reviewing the patch. For further details, see https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4 [1] https://github.com/containerd/containerd/releases/tag/v1.3.9 [2] https://github.com/containerd/containerd/releases/tag/v1.4.3 [3] https://github.com/containerd/project/blob/master/SECURITY.md
sascha can you help or assign someone?
(In reply to Marcus Meissner from comment #4) > sascha can you help or assign someone? To be honest I do not know to whom to assign this issue to. Maybe Aleksa can help support us there? Which projects / products would be affected?
the package containerd is in the Containers Module of SLES 12 and SLES 15. SUSE:SLE-12:Update/containerd SUSE:SLE-15:Update/containerd I see Aleksa submnitted last, but you also did some submits.
Hi Marcus Meissner, Could you please writing a note/announce on our website https://www.suse.com/security/cve/? Our customers asked if our product affected this issue, they can find the webpage of redhat and ubuntu: https://access.redhat.com/security/cve/CVE-2020-15257 https://ubuntu.com/security/CVE-2020-15257 but there is no record on our website. Thanks in advance. Xuanke Han
I'm preparing a submission to SLE but it should be noted that triggering this bug requires explicitly disabling a significant container security feature (namely disabling network namespaces) while running a workload with uid 0. Even with this bug fixed, such a configuration is still insecure (several normal host processes use abstract unix sockets and do uid-based authentication).
Our CVE page is now there.
(In reply to Marcus Meissner from comment #6) > the package containerd is in the Containers Module of SLES 12 and SLES 15. > > SUSE:SLE-12:Update/containerd > SUSE:SLE-15:Update/containerd > > > I see Aleksa submnitted last, but you also did some submits. When this patches will be released? Customer asked our progress.
It was not possible to properly backport the patch (the version of Docker we have in SLE uses containerd 1.2.x which is long out of date -- this is because upstream Docker updates containerd very infrequently and updating it without updating Docker results in Docker warnings and potentially unstable behaviour). I've prepared a release of Docker 19.04.14-ce which includes this fix as well as an update of containerd (to include this patch) and several other components. It's been submitted to Factory and SLE.
(In reply to Aleksa Sarai from comment #11) > It was not possible to properly backport the patch (the version of Docker we > have in SLE uses containerd 1.2.x which is long out of date -- this is > because upstream Docker updates containerd very infrequently and updating it > without updating Docker results in Docker warnings and potentially unstable > behaviour). To elaborate on the issues with backporting, containerd internals changed very drastically between 1.2.x and 1.3.x so I couldn't be sure I'd correctly backported the right behaviour.
This is an autogenerated message for OBS integration: This bug (1178969) was mentioned in https://build.opensuse.org/request/show/857815 Factory / containerd
SUSE-SU-2020:3938-1: An update that solves one vulnerability, contains one feature and has four fixes is now available. Category: security (important) Bug References: 1174075,1176708,1178801,1178969,1180243 CVE References: CVE-2020-15257 JIRA References: SLE-16460 Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.3.9-16.32.1, docker-19.03.14_ce-98.57.1, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-1.49.1, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-34.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Any ETA for the SLE 15 packages ?
There was a regression identified in docker firewall code. bug 1180401 we are waiting for Aleksa to help. If you know someone else Klaus, please bring him/her in?
(In reply to Marcus Meissner from comment #17) > There was a regression identified in docker firewall code. > > bug 1180401 > > we are waiting for Aleksa to help. If you know someone else Klaus, please > bring him/her in? Everyone from "containers core technology" (Aleksa, Sascha) is already in CC.
Ping, container folks ..
The issue is being discussed in bug 1180401.
SUSE-SU-2021:0435-1: An update that solves three vulnerabilities, contains one feature and has 5 fixes is now available. Category: security (important) Bug References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732 CVE References: CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 JIRA References: SLE-16460 Sources used: SUSE Manager Server 4.0 (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Manager Retail Branch Server 4.0 (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Manager Proxy 4.0 (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Linux Enterprise Server for SAP 15-SP1 (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Linux Enterprise Server 15-SP1-LTSS (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Linux Enterprise Server 15-SP1-BCL (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Linux Enterprise Module for Containers 15-SP3 (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Linux Enterprise Module for Containers 15-SP2 (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE Enterprise Storage 6 (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 SUSE CaaS Platform 4.0 (src): containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:0278-1: An update that solves three vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732 CVE References: CVE-2020-15257,CVE-2021-21284,CVE-2021-21285 JIRA References: Sources used: openSUSE Leap 15.2 (src): containerd-1.3.9-lp152.2.3.1, docker-19.03.15_ce-lp152.2.3.1, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1, fish-2.7.1-lp152.5.3.1, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1