Bugzilla – Bug 1193436
VUL-1: CVE-2021-43784: runc: integer overflow in runc's netlink bytemsg allows malicious configuration to discreetly modify container configuration
Last modified: 2024-07-22 13:51:08 UTC
CVE-2021-43784 oss-sec mailing list archives CVE-2021-43784: integer overflow in runc's netlink bytemsg allows malicious configuration to discreetly modify container configuration From: Aleksa Sarai Date: Mon, 6 Dec 2021 15:58:14 +1100 GitHub Advisory: This vulnerability was originally thought to be exploitable in released versions of runc and thus a CVE was assigned (though it was thought to be more difficult than with the yet-unreleased runc tree), but subsequent analysis found that it appears to never have been exploitable outside of the yet-unreleased runc tree. However, out of an abundance of caution we still followed through with an emergency release of runc 1.0.3[2] which resolves this issue. [ Impact ] In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. Prior to 9c44407, in practice it was fairly difficult to specify an arbitrary-length netlink message with most container runtimes. The only user-controlled byte array was the namespace paths attributes which can be specified in runc's config.json, but as far as we can tell no container runtime gives raw access to that configuration setting -- and having raw access to that setting would allow the attacker to disable namespace protections entirely anyway (setting them to /proc/1/ns/... for instance). In addition, each namespace path is limited to 4096 bytes (with only 7 namespaces supported by runc at the moment) meaning that even with custom namespace paths it appears an attacker still cannot shove enough bytes into the netlink bytemsg in order to overflow the uint16 counter. However, out of an abundance of caution (given how old this bug is) we decided to treat it as a potentially exploitable vulnerability with a low severity. After 9c44407 (which was not present in any release of runc prior to the discovery of this bug), all mount paths are included as a giant netlink message which means that this bug becomes significantly more exploitable in more reasonable threat scenarios. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure), though as mentioned above it appears this bug was not practically exploitable on any released version of runc to date. [ Patches ] The patch for this is commit d72d057[1] and runc 1.0.3[2] was released with this bug fixed. [ Workarounds ] To the extent this is exploitable, disallowing untrusted namespace paths in container configuration should eliminate all practical ways of exploiting this bug. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. [ Credits ] Thanks for Felix Wilhelm from Google Project Zero for discovering this vulnerability. [1]: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae [2]: https://github.com/opencontainers/runc/releases/tag/v1.0.3 -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH Current thread: CVE-2021-43784: integer overflow in runc's netlink bytemsg allows malicious configuration to discreetly modify container configuration Aleksa Sarai (Dec 05) References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43784 http://seclists.org/oss-sec/2021/q4/144 https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
I actually don't know if other packages could be affected, like docker-runc. I am investigating which codestreams would be affected, but please let me know if only runc would be affected.
SUSE-SU-2021:4059-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1193436 CVE References: CVE-2021-43784 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): runc-1.0.3-16.18.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:4171-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1193436 CVE References: CVE-2021-43784 JIRA References: Sources used: openSUSE Leap 15.3 (src): runc-1.0.3-27.1
SUSE-SU-2021:4171-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1193436 CVE References: CVE-2021-43784 JIRA References: Sources used: SUSE MicroOS 5.1 (src): runc-1.0.3-27.1 SUSE MicroOS 5.0 (src): runc-1.0.3-27.1 SUSE Linux Enterprise Module for Containers 15-SP3 (src): runc-1.0.3-27.1 SUSE Linux Enterprise Module for Containers 15-SP2 (src): runc-1.0.3-27.1 SUSE Enterprise Storage 7 (src): runc-1.0.3-27.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2021:1625-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1193436 CVE References: CVE-2021-43784 JIRA References: Sources used: openSUSE Leap 15.2 (src): runc-1.0.3-lp152.2.12.1
docker-runc shares the same source code as runc, in theory, it should have affected both packages. SMASH does not mention docker-runc, but this could affect SLE 15 SP2 and newer SPs as docker-runc seems to be from derived 1.0.0 RC10 with a few patches on top. Tomas, do you want to update SMASH? Aleksa, do you know the reasoning and main differences between docker-runc and runc? Taking the version into account, it seems this CVE is present in docker-runc.