Bug 1182428 - (CVE-2022-1227) VUL-0: CVE-2022-1227: podman: podman-top error executing "nsenter -U -t 1 cat /proc/1/status": exec: "nsenter": executable file not found in $PATH in rootless mode
(CVE-2022-1227)
VUL-0: CVE-2022-1227: podman: podman-top error executing "nsenter -U -t 1 cat...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE Tumbleweed
: P3 - Medium : Normal
: ---
Assigned To: Containers Team
Security Team bot
https://smash.suse.de/issue/328227
CVSSv3.1:SUSE:CVE-2022-1227:8.0:(AV:N...
:
Depends on:
Blocks: 1195498
  Show dependency treegraph
 
Reported: 2021-02-18 12:13 UTC by Yiannis Bonatakis
Modified: 2022-09-26 09:35 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
strace podman top (71.69 KB, text/plain)
2021-12-20 16:32 UTC, Yiannis Bonatakis
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Yiannis Bonatakis 2021-02-18 12:13:00 UTC
i have enable rootless mode in TW (it is not reproducible on SLE)
```
usermod --add-subuids 200000-201000 --add-subgids 200000-201000 $user
```

Then all looks good except if i run a container with `--userns keep-id`.
With this i have the user shown in the container with the following id map
```
uid=1000(bernhard), gid=100(users), group=100(users)
```

Running podman top gives me the following error:
```
error executing "nsenter -U -t 1 cat /proc/1/status": exec: "nsenter": executable file not found in $PATH
```

however nsenter is installed on the host and it appears in the `/usr/bin/nsenter`
I checked the $PATH and it looks ok
```
/home/bernhard/bin:/usr/local/bin:/usr/bin:/bin
```

How to reproduce:
1. usermod --add-subuids 200000-201000 --add-subgids 200000-201000 $user
2. podman run -d --rm --userns keep-id registry.opensuse.org/opensuse/tumbleweed sleep infinity
3. podman top $img_id

Expected:
output of podman-top

Actual:
error executing "nsenter -U -t 1 cat /proc/1/status": exec: "nsenter": executable file not found in $PATH
Comment 1 Oliver Kurz 2021-03-05 06:04:56 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: extra_tests_textmode_containers
https://openqa.opensuse.org/tests/1655352

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released"
3. The label in the openQA scenario is removed
Comment 2 Oliver Kurz 2021-03-19 06:05:11 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1671700

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released"
3. The label in the openQA scenario is removed
Comment 3 Oliver Kurz 2021-04-03 05:03:21 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1689556

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released"
3. The label in the openQA scenario is removed
Comment 4 Oliver Kurz 2021-04-18 05:02:43 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1701565

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released"
3. The label in the openQA scenario is removed
Comment 5 openQA Review 2021-05-02 05:18:45 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1721981

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released"
3. The label in the openQA scenario is removed
Comment 6 openQA Review 2021-05-18 08:36:43 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers
https://openqa.opensuse.org/tests/1735917

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released"
3. The label in the openQA scenario is removed
Comment 7 openQA Review 2021-06-02 05:17:10 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1763757

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released"
3. The label in the openQA scenario is removed
Comment 8 openQA Review 2021-06-16 05:18:13 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1782360

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released"
3. The label in the openQA scenario is removed
Comment 9 Oliver Kurz 2021-06-30 06:25:16 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1806856

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The label in the openQA scenario is removed
Comment 10 openQA Review 2021-07-15 00:16:29 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1839301

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The label in the openQA scenario is removed
Comment 11 openQA Review 2021-07-29 01:25:25 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1855329

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The label in the openQA scenario is removed
Comment 12 openQA Review 2021-08-12 08:56:30 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1869720

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The label in the openQA scenario is removed
Comment 13 openQA Review 2021-08-26 23:57:46 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1887706

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The label in the openQA scenario is removed
Comment 14 openQA Review 2021-09-10 00:48:18 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1909039

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The label in the openQA scenario is removed
Comment 15 openQA Review 2021-09-24 23:59:17 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1929451

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 16 openQA Review 2021-10-09 02:51:17 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers@64bit_virtio-2G
https://openqa.opensuse.org/tests/1959018

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 17 openQA Review 2021-10-24 00:23:13 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: podman_tests
https://openqa.suse.de/tests/7485563

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 18 openQA Review 2021-11-12 00:21:53 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-container-engines_and_tools
https://openqa.suse.de/tests/7630744

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 19 openQA Review 2021-11-26 00:49:20 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: podman_tests
https://openqa.suse.de/tests/7715381

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 20 openQA Review 2021-12-10 01:29:38 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers
https://openqa.suse.de/tests/7802284

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 21 Yiannis Bonatakis 2021-12-20 16:32:17 UTC
Created attachment 854711 [details]
strace podman top

i upload the strace of `podman top` from podman 3.4.2 run in a tw vm. container run with `podman run -d --rm --userns keep-id registry.opensuse.org/opensuse/tumbleweed sleep infinity`
Comment 22 Dan Čermák 2022-01-03 17:29:35 UTC
(In reply to Yiannis Bonatakis from comment #21)
> Created attachment 854711 [details]
> strace podman top
> 
> i upload the strace of `podman top` from podman 3.4.2 run in a tw vm.
> container run with `podman run -d --rm --userns keep-id
> registry.opensuse.org/opensuse/tumbleweed sleep infinity`

This issue is not related to Tumbleweed itself but is caused by the Tumbleweed container image. If you switch to docker.io/alpine, then the above commands work.

Upstream issue: https://github.com/containers/podman/issues/10941
Comment 23 Fabian Vogt 2022-01-10 10:30:28 UTC
This is because nsenter is not part of registry.opensuse.org/opensuse/tumbleweed.

No idea why podman tries to call nsenter of the container though.
Comment 24 Aleksa Sarai 2022-01-11 14:20:50 UTC
I looked into a bit more and put my findings in the upstream github issue.

The reason this appears to happen is that the ps library they're using (github.com/containers/psgo) automatically runs the nsenter command if the current user namespace is different to the target user namespace. So it appears podman top doesn't run in the user namespace but it joins all of the other namespaces. But because this is being done in the library call that happened after podman top joined the namespace, psgo ends up trying to execute nsenter inside the container.

Personally this is worrying for a couple of reasons (hypothetically this means that a container process can mess with the results of an internal operation of podman -- while podman top isn't safety-critical it does mean a malicious container could return bad results and if psgo is not very careful with the returned data there might be other bugs).

I've submitted a patch to psgo to remove the usage of nsenter entirely[1] (it was only being used so that they could get the container uids and gids -- but it's trivial to emulate that conversion in Go by reading /proc/$pid/[ug]id_map). Hopefully that will fix the issue (and the potential security bug).

[1]: https://github.com/containers/psgo/pull/92
Comment 25 Aleksa Sarai 2022-01-11 14:23:09 UTC
(In reply to Aleksa Sarai from comment #24)
> I looked into a bit more and put my findings in the upstream github issue.
> 
> The reason this appears to happen is that the ps library they're using
> (github.com/containers/psgo) automatically runs the nsenter command if the
> current user namespace is different to the target user namespace. So it
> appears podman top doesn't run in the user namespace but it joins all of the
> other namespaces. But because this is being done in the library call that
> happened after podman top joined the namespace, psgo ends up trying to
> execute nsenter inside the container.
> 
> Personally this is worrying for a couple of reasons (hypothetically this
> means that a container process can mess with the results of an internal
> operation of podman -- while podman top isn't safety-critical it does mean a
> malicious container could return bad results and if psgo is not very careful
> with the returned data there might be other bugs).

Also the nsenter container binary is executed with any container security profiles applied as far as I can tell (only the namespaces are joined -- and no the user namespace). This means that a malicious binary placed at /bin/nsenter inside the container would have elevated privileges when compared to the rest of the container (most notably you would have the same privileges as the "podman top" user -- who could be root -- but you'd still be in the other container namespaces).

> [1]: https://github.com/containers/psgo/pull/92
Comment 26 Jose Lausuch 2022-01-12 09:54:52 UTC
Thanks for the help Aleksa! Appreciated!
Comment 27 openQA Review 2022-01-26 23:57:21 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-container_host
https://openqa.opensuse.org/tests/2158476

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 28 openQA Review 2022-02-10 00:07:05 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers
https://openqa.suse.de/tests/8121988

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 29 openQA Review 2022-02-24 00:09:27 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers
https://openqa.suse.de/tests/8214670

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`
Comment 30 openQA Review 2022-03-24 00:22:30 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: jeos-containers
https://openqa.suse.de/tests/8346808

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`

Expect the next reminder at the earliest in 56 days if nothing changes in this ticket.
Comment 31 Dan Čermák 2022-04-06 08:01:38 UTC
CVE-2022-1227 has been assigned to this issue.
Comment 33 openQA Review 2022-05-03 00:03:31 UTC
This is an autogenerated message for openQA integration by the openqa_review script:

This bug is still referenced in a failing openQA test: extra_tests_textmode_podman_containers
https://openqa.opensuse.org/tests/2316285

To prevent further reminder comments one of the following options should be followed:
1. The test scenario is fixed by applying the bug fix to the tested product or the test is adjusted
2. The openQA job group is moved to "Released" or "EOL" (End-of-Life)
3. The bugref in the openQA scenario is removed or replaced, e.g. `label:wontfix:boo1234`

Expect the next reminder at the earliest in 52 days if nothing changes in this ticket.
Comment 38 Vincent Moutoussamy 2022-06-14 12:27:48 UTC
So we should already have this back portedfix in our latest podman version: https://github.com/containers/podman/pull/13862
Comment 40 Swamp Workflow Management 2022-08-17 19:16:48 UTC
SUSE-SU-2022:2834-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    podman-3.4.7-150400.4.3.1
SUSE Linux Enterprise Module for Containers 15-SP4 (src):    podman-3.4.7-150400.4.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 41 Swamp Workflow Management 2022-08-18 10:18:03 UTC
SUSE-SU-2022:2839-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Micro 5.2 (src):    podman-3.4.7-150300.9.9.2
SUSE Linux Enterprise Micro 5.1 (src):    podman-3.4.7-150300.9.9.2
SUSE Enterprise Storage 7.1 (src):    podman-3.4.7-150300.9.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 42 Gianluca Gabrielli 2022-08-23 12:12:18 UTC
can this be backported to SUSE:SLE-15-SP1:Update as well?
Comment 45 Swamp Workflow Management 2022-09-01 14:51:49 UTC
SUSE-SU-2022:2839-2: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1182428,1196338,1197284
CVE References: CVE-2022-1227,CVE-2022-21698,CVE-2022-27191
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    podman-3.4.7-150300.9.9.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 46 Jose Lausuch 2022-09-19 10:11:03 UTC
We don't have this issue any more in TW: 
https://openqa.opensuse.org/tests/2693430#step/rootless_podman/207
Comment 47 Vincent Moutoussamy 2022-09-26 09:35:14 UTC
Setting RESOLVED FIXED as MU went for SP3 and openSUSE