Bug 1178969 - (CVE-2020-15257) VUL-0: CVE-2020-15257: containerd: Use path based unix socket for shims
(CVE-2020-15257)
VUL-0: CVE-2020-15257: containerd: Use path based unix socket for shims
Status: IN_PROGRESS
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/272035/
CVSSv3.1:SUSE:CVE-2020-15257:7.8:(AV:...
:
Depends on: 1180401
Blocks:
  Show dependency treegraph
 
Reported: 2020-11-19 11:00 UTC by Marcus Meissner
Modified: 2021-02-12 05:17 UTC (History)
10 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
containerd-1.3-Fix-CVE-2020-15257.patch (22.17 KB, patch)
2020-11-19 13:50 UTC, Marcus Meissner
Details | Diff
containerd-1.4-Fix-CVE-2020-15257.patch (21.58 KB, patch)
2020-11-19 13:50 UTC, Marcus Meissner
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2020-11-19 13:50:17 UTC
Created attachment 843726 [details]
containerd-1.3-Fix-CVE-2020-15257.patch

containerd-1.3-Fix-CVE-2020-15257.patch
Comment 2 Marcus Meissner 2020-11-19 13:50:34 UTC
Created attachment 843727 [details]
containerd-1.4-Fix-CVE-2020-15257.patch

containerd-1.4-Fix-CVE-2020-15257.patch
Comment 3 Marcus Meissner 2020-12-01 06:55:54 UTC
public via oss-sec

From: "Karp, Samuel" <skarp@amazon.com>
Subject: [oss-security] CVE-2020-15257: containerd-shim API exposed to host network containers

Impact

Access controls for the shim’s API socket verified that the connecting
process had an effective UID of 0, but did not otherwise restrict
access to the abstract Unix domain socket. This would allow malicious
containers running in the same network namespace as the shim, with an
effective UID of 0 but otherwise reduced privileges, to cause new
processes to be run with elevated privileges.


Patches

This vulnerability has been fixed in containerd 1.3.9 [1] and 1.4.3
[2]. Users should update to these versions as soon as they are
released. It should be noted that containers started with an old
version of containerd-shim should be stopped and restarted, as running
containers will continue to be vulnerable even after an upgrade.


Workarounds

If you are not providing the ability for untrusted users to start
containers in the same network namespace as the shim (typically the
"host" network namespace, for example with `docker run --net=host` or
`hostNetwork: true` in a Kubernetes pod) and run with an effective UID
of 0, you are not vulnerable to this issue.

If you are running containers with a vulnerable configuration, you can
deny access to all abstract sockets with AppArmor by adding a line
similar to `deny unix addr=@**,` to your policy.

It is best practice to run containers with a reduced set of privileges,
with a non-zero UID, and with isolated namespaces. The containerd
maintainers strongly advise against sharing namespaces with the host.
Reducing the set of isolation mechanisms used for a container
necessarily increases that container's privilege, regardless of what
container runtime is used for running that container.


Credits

The containerd maintainers would like to thank Jeff Dileo of NCC Group
for responsibly disclosing this issue in accordance with the containerd
security policy [3] and for reviewing the patch.

For further details, see 
https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4

[1] https://github.com/containerd/containerd/releases/tag/v1.3.9
[2] https://github.com/containerd/containerd/releases/tag/v1.4.3
[3] https://github.com/containerd/project/blob/master/SECURITY.md
Comment 4 Marcus Meissner 2020-12-09 08:42:13 UTC
sascha can you help or assign someone?
Comment 5 Sascha Grunert 2020-12-09 09:09:41 UTC
(In reply to Marcus Meissner from comment #4)
> sascha can you help or assign someone?

To be honest I do not know to whom to assign this issue to. Maybe Aleksa can help support us there? Which projects / products would be affected?
Comment 6 Marcus Meissner 2020-12-09 09:24:31 UTC
the package containerd is in the Containers Module of SLES 12 and SLES 15.

SUSE:SLE-12:Update/containerd
SUSE:SLE-15:Update/containerd


I see Aleksa submnitted last, but you also did some submits.
Comment 7 Xuanke Han 2020-12-10 09:46:34 UTC
Hi Marcus Meissner,

Could you please writing a note/announce on our website https://www.suse.com/security/cve/?

Our customers asked if our product affected this issue, they can find the webpage of redhat and ubuntu:
https://access.redhat.com/security/cve/CVE-2020-15257
https://ubuntu.com/security/CVE-2020-15257

but there is no record on our website.

Thanks in advance.

Xuanke Han
Comment 8 Aleksa Sarai 2020-12-10 11:19:00 UTC
I'm preparing a submission to SLE but it should be noted that triggering this bug requires explicitly disabling a significant container security feature (namely disabling network namespaces) while running a workload with uid 0. Even with this bug fixed, such a configuration is still insecure (several normal host processes use abstract unix sockets and do uid-based authentication).
Comment 9 Marcus Meissner 2020-12-10 15:09:03 UTC
Our CVE page is now there.
Comment 10 Xuanke Han 2020-12-17 07:04:45 UTC
(In reply to Marcus Meissner from comment #6)
> the package containerd is in the Containers Module of SLES 12 and SLES 15.
> 
> SUSE:SLE-12:Update/containerd
> SUSE:SLE-15:Update/containerd
> 
> 
> I see Aleksa submnitted last, but you also did some submits.

When this patches will be released? Customer asked our progress.
Comment 11 Aleksa Sarai 2020-12-21 07:19:04 UTC
It was not possible to properly backport the patch (the version of Docker we have in SLE uses containerd 1.2.x which is long out of date -- this is because upstream Docker updates containerd very infrequently and updating it without updating Docker results in Docker warnings and potentially unstable behaviour).

I've prepared a release of Docker 19.04.14-ce which includes this fix as well as an update of containerd (to include this patch) and several other components. It's been submitted to Factory and SLE.
Comment 12 Aleksa Sarai 2020-12-21 07:19:51 UTC
(In reply to Aleksa Sarai from comment #11)
> It was not possible to properly backport the patch (the version of Docker we
> have in SLE uses containerd 1.2.x which is long out of date -- this is
> because upstream Docker updates containerd very infrequently and updating it
> without updating Docker results in Docker warnings and potentially unstable
> behaviour).

To elaborate on the issues with backporting, containerd internals changed very drastically between 1.2.x and 1.3.x so I couldn't be sure I'd correctly backported the right behaviour.
Comment 13 OBSbugzilla Bot 2020-12-21 08:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1178969) was mentioned in
https://build.opensuse.org/request/show/857815 Factory / containerd
Comment 15 Swamp Workflow Management 2020-12-28 17:17:51 UTC
SUSE-SU-2020:3938-1: An update that solves one vulnerability, contains one feature and has four fixes is now available.

Category: security (important)
Bug References: 1174075,1176708,1178801,1178969,1180243
CVE References: CVE-2020-15257
JIRA References: SLE-16460
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    containerd-1.3.9-16.32.1, docker-19.03.14_ce-98.57.1, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-1.49.1, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Andreas Taschner 2021-01-05 07:38:01 UTC
Any ETA for the SLE 15 packages ?
Comment 17 Marcus Meissner 2021-01-05 09:53:05 UTC
There was a regression identified in docker firewall code.

bug 1180401

we are waiting for Aleksa to help. If you know someone else Klaus, please bring him/her in?
Comment 18 Klaus Kämpf 2021-01-05 10:03:43 UTC
(In reply to Marcus Meissner from comment #17)
> There was a regression identified in docker firewall code.
> 
> bug 1180401
> 
> we are waiting for Aleksa to help. If you know someone else Klaus, please
> bring him/her in?

Everyone from "containers core technology" (Aleksa, Sascha) is already in CC.
Comment 19 Andreas Taschner 2021-01-12 15:13:34 UTC
Ping, container folks ..
Comment 20 Aleksa Sarai 2021-01-18 01:15:08 UTC
The issue is being discussed in bug 1180401.
Comment 28 Swamp Workflow Management 2021-02-11 17:17:01 UTC
SUSE-SU-2021:0435-1: An update that solves three vulnerabilities, contains one feature and has 5 fixes is now available.

Category: security (important)
Bug References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732
CVE References: CVE-2020-15257,CVE-2021-21284,CVE-2021-21285
JIRA References: SLE-16460
Sources used:
SUSE Manager Server 4.0 (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Manager Retail Branch Server 4.0 (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Manager Proxy 4.0 (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Linux Enterprise Server 15-SP1-BCL (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Linux Enterprise Module for Containers 15-SP2 (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE Enterprise Storage 6 (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3
SUSE CaaS Platform 4.0 (src):    containerd-1.3.9-5.29.3, docker-19.03.15_ce-6.43.3, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-6.45.3, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-4.28.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2021-02-12 05:17:02 UTC
openSUSE-SU-2021:0278-1: An update that solves three vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1174075,1176708,1178801,1178969,1180243,1180401,1181730,1181732
CVE References: CVE-2020-15257,CVE-2021-21284,CVE-2021-21285
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    containerd-1.3.9-lp152.2.3.1, docker-19.03.15_ce-lp152.2.3.1, docker-runc-1.0.0rc10+gitr3981_dc9208a3303f-lp152.2.3.1, fish-2.7.1-lp152.5.3.1, golang-github-docker-libnetwork-0.7.0.1+gitr2908_55e924b8a842-lp152.2.3.1