Bugzilla – Bug 1191818
VUL-0: CVE-2021-36779: Host operations allowed in privileged Longhorn managed pods
Last modified: 2021-12-17 07:06:44 UTC
(In reply to Johannes Segitz from comment #1)
> can you please provide the information about the issue here or link to the
> github issue so we can evaluate before we assign? Thanks
https://github.com/longhorn/security/issues/1 (this is a private issue you can't access, but you can the info below)
The pods managed by Longhorn Manager are run with a privileged context on every node in the cluster. The pod’s container runs as root and exposes a gRPC service on TCP port 8500. This service is accessible to any workload in the cluster and requires no authentication. A malicious workload can take advantage of this service to execute any binary present in the image, which includes curl and apt.
I was able to take advantage of this vulnerability from an unprivileged workload in a test cluster to install and run arbitrary applications in the container and access/modify the host (node) filesystem as root.
Please help publish to Mitre. Thank you!
public and fix is released