Bug 1193436 (CVE-2021-43784) - VUL-1: CVE-2021-43784: runc: integer overflow in runc's netlink bytemsg allows malicious configuration to discreetly modify container configuration
Summary: VUL-1: CVE-2021-43784: runc: integer overflow in runc's netlink bytemsg allow...
Status: NEW
Alias: CVE-2021-43784
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Minor
Target Milestone: ---
Assignee: Containers Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/316340/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-12-06 13:26 UTC by Thomas Leroy
Modified: 2024-07-22 13:51 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---
alexandre.vicenzi: needinfo? (asarai)


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2021-12-06 13:26:55 UTC
CVE-2021-43784

oss-sec
mailing list archives

CVE-2021-43784: integer overflow in runc's netlink bytemsg allows malicious configuration to discreetly modify container configuration

From: Aleksa Sarai 
Date: Mon, 6 Dec 2021 15:58:14 +1100


GitHub Advisory:
  

This vulnerability was originally thought to be exploitable in released
versions of runc and thus a CVE was assigned (though it was thought to
be more difficult than with the yet-unreleased runc tree), but
subsequent analysis found that it appears to never have been exploitable
outside of the yet-unreleased runc tree.

However, out of an abundance of caution we still followed through with
an emergency release of runc 1.0.3[2] which resolves this issue.

[ Impact ]

In runc, netlink is used internally as a serialization system for
specifying the relevant container configuration to the C portion of our
code (responsible for the based namespace setup of containers). In all
versions of runc prior to 1.0.3, the encoder did not handle the
possibility of an integer overflow in the 16-bit length field for the
byte array attribute type, meaning that a large enough malicious byte
array attribute could result in the length overflowing and the attribute
contents being parsed as netlink messages for container configuration.

This vulnerability requires the attacker to have some control over the
configuration of the container and would allow the attacker to bypass
the namespace restrictions of the container by simply adding their own
netlink payload which disables all namespaces.

Prior to 9c44407, in practice it was fairly difficult to specify an
arbitrary-length netlink message with most container runtimes. The only
user-controlled byte array was the namespace paths attributes which can
be specified in runc's config.json, but as far as we can tell no
container runtime gives raw access to that configuration setting -- and
having raw access to that setting would allow the attacker to disable
namespace protections entirely anyway (setting them to /proc/1/ns/...
for instance). In addition, each namespace path is limited to 4096 bytes
(with only 7 namespaces supported by runc at the moment) meaning that
even with custom namespace paths it appears an attacker still cannot
shove enough bytes into the netlink bytemsg in order to overflow the
uint16 counter.

However, out of an abundance of caution (given how old this bug is) we
decided to treat it as a potentially exploitable vulnerability with a
low severity. After 9c44407 (which was not present in any release of
runc prior to the discovery of this bug), all mount paths are included
as a giant netlink message which means that this bug becomes
significantly more exploitable in more reasonable threat scenarios.

The main users impacted are those who allow untrusted images with
untrusted configurations to run on their machines (such as with shared
cloud infrastructure), though as mentioned above it appears this bug was
not practically exploitable on any released version of runc to date.

[ Patches ]

The patch for this is commit d72d057[1] and runc 1.0.3[2] was released with
this bug fixed.

[ Workarounds ]

To the extent this is exploitable, disallowing untrusted namespace paths
in container configuration should eliminate all practical ways of
exploiting this bug. It should be noted that untrusted namespace paths
would allow the attacker to disable namespace protections entirely even
in the absence of this bug.

[ Credits ]

Thanks for Felix Wilhelm from Google Project Zero for discovering this
vulnerability.

[1]: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
[2]: https://github.com/opencontainers/runc/releases/tag/v1.0.3

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH

Current thread:

CVE-2021-43784: integer overflow in runc's netlink bytemsg allows malicious configuration to discreetly modify container configuration Aleksa Sarai (Dec 05)


References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-43784
http://seclists.org/oss-sec/2021/q4/144
https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
Comment 1 Thomas Leroy 2021-12-06 13:29:40 UTC
I actually don't know if other packages could be affected, like docker-runc. I am investigating which codestreams would be affected, but please let me know if only runc would be affected.
Comment 2 Swamp Workflow Management 2021-12-14 17:25:07 UTC
SUSE-SU-2021:4059-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193436
CVE References: CVE-2021-43784
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Containers 12 (src):    runc-1.0.3-16.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 3 Swamp Workflow Management 2021-12-23 14:18:40 UTC
openSUSE-SU-2021:4171-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193436
CVE References: CVE-2021-43784
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    runc-1.0.3-27.1
Comment 4 Swamp Workflow Management 2021-12-23 14:45:14 UTC
SUSE-SU-2021:4171-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193436
CVE References: CVE-2021-43784
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    runc-1.0.3-27.1
SUSE MicroOS 5.0 (src):    runc-1.0.3-27.1
SUSE Linux Enterprise Module for Containers 15-SP3 (src):    runc-1.0.3-27.1
SUSE Linux Enterprise Module for Containers 15-SP2 (src):    runc-1.0.3-27.1
SUSE Enterprise Storage 7 (src):    runc-1.0.3-27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2021-12-26 17:19:41 UTC
openSUSE-SU-2021:1625-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1193436
CVE References: CVE-2021-43784
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    runc-1.0.3-lp152.2.12.1
Comment 7 Alexandre Vicenzi 2024-07-19 14:09:11 UTC
docker-runc shares the same source code as runc, in theory, it should have affected both packages.

SMASH does not mention docker-runc, but this could affect SLE 15 SP2 and newer SPs as docker-runc seems to be from derived 1.0.0 RC10 with a few patches on top.

Tomas, do you want to update SMASH?

Aleksa, do you know the reasoning and main differences between docker-runc and runc? Taking the version into account, it seems this CVE is present in docker-runc.