Bug 1010933 - (CVE-2016-8649) VUL-0: CVE-2016-8649: lxc: guest escape via ptrace of lxc-attach
VUL-0: CVE-2016-8649: lxc: guest escape via ptrace of lxc-attach
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Cédric Bosdonnat
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2016-11-18 12:33 UTC by Marcus Meissner
Modified: 2017-11-15 15:00 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-11-18 12:33:45 UTC
A private security bug was reported by Roman Fiedler against LXC which
requires a patch in the Linux kernel to fully address the issue.
This issue is embargoed and has not been disclosed publicly. We are
requesting a coordinated release date (CRD) of <2016-11-23 16:00 UTC>.

A malicious root user in an LXC container can ptrace the connecting
lxc-attach process and then manipulate it. One attack is to use the
inherited file descriptor, of the host's /proc, to access the rest of
the host's filesystem via the openat() family of syscalls. The file
descriptor is needed to write to /proc/<PID>/attr/current or
/proc/<PID>/attr/exec to set the AppArmor/SELinux label of the attached
process. The LXC upstream developers have developed a patch (see
attachment) to protect against this attack by only passing a file
descriptor of either the current or exec file itself.

A CVE, against LXC, is requested for the attack allowing the /proc fd to
be used to access the host filesystem.

There's also an additional attack where a malicious root user in an
unprivileged container can ptrace the connecting lxc-attach process and
bypass the AppArmor/SELinux confinement completely and/or prevent
lxc-attach from dropping privileges (privileges equal to the user that
initial ran lxc-attach). To fix that issue, a kernel patch is needed to
prevent such a ptrace operation. The LXC upstream developers report that
the following patch from Eric Biederman prevents this attack:


The kernel patch is public and, as far as I know, is not associated with
any CVE. The Ubuntu Kernel team reports that it fixes the disputed
CVE-2015-8709, in addition to the issue described above, but I do not
believe that they are the same issue.

I'm not sure if a CVE should be assigned for this kernel issue on
linux-distros or if I should request one on oss-security on the CRD. At
this point, I don't understand the full impact of that kernel change
well enough to put together a meaningful CVE request. Suggestions/ideas
are welcome.

The attached LXC patch that withholds the /proc fd from the connecting
lxc-attach process mitigates the kernel issue in that it, even though
the malicious root user in the container can bypass MAC confinement
and/or prevent privilege dropping, there's no obvious way to access or
modify the host filesystem.

Comment 2 Marcus Meissner 2016-11-18 12:34:40 UTC
CRD: 2016-11-23 16:00 UTC
Comment 5 Swamp Workflow Management 2016-11-18 23:00:43 UTC
bugbot adjusting priority
Comment 6 Bernhard Wiedemann 2016-12-06 23:00:41 UTC
This is an autogenerated message for OBS integration:
This bug (1010933) was mentioned in
https://build.opensuse.org/request/show/444350 13.2+42.1+42.2 / lxc
https://build.opensuse.org/request/show/444354 42.1 / lxc
https://build.opensuse.org/request/show/444355 42.2 / lxc
Comment 7 Bernhard Wiedemann 2016-12-07 12:43:34 UTC
is public since 2016-11-23
Comment 8 Swamp Workflow Management 2016-12-16 18:07:41 UTC
openSUSE-SU-2016:3179-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1010933
CVE References: CVE-2016-8649
Sources used:
openSUSE Leap 42.2 (src):    lxc-1.1.2-10.1
openSUSE Leap 42.1 (src):    lxc-1.1.2-9.1
openSUSE 13.2 (src):    lxc-1.0.6-12.1
Comment 9 Swamp Workflow Management 2017-02-28 23:12:12 UTC
SUSE-SU-2017:0575-1: An update that solves 11 vulnerabilities and has 95 fixes is now available.

Category: security (important)
Bug References: 1000092,1000619,1003077,1005918,1006469,1006472,1007729,1008742,1009546,1009674,1009718,1009911,1010612,1010690,1010933,1011176,1011602,1011660,1011913,1012382,1012422,1012829,1012910,1013000,1013001,1013273,1013540,1013792,1013994,1014120,1014410,1015038,1015367,1015840,1016250,1016403,1016517,1016884,1016979,1017164,1017170,1017410,1018100,1018316,1018358,1018446,1018813,1018913,1019061,1019148,1019168,1019260,1019351,1019594,1019630,1019631,1019784,1019851,1020048,1020214,1020488,1020602,1020685,1020817,1020945,1020975,1021082,1021248,1021251,1021258,1021260,1021294,1021455,1021474,1022304,1022429,1022476,1022547,1022559,1022971,1023101,1023175,1023762,1023884,1023888,1024081,1024234,1024508,1024938,1025235,921494,959709,964944,969476,969477,969479,971975,974215,981709,982783,985561,987192,987576,989056,991273,998106
CVE References: CVE-2015-8709,CVE-2016-7117,CVE-2016-9806,CVE-2017-2583,CVE-2017-2584,CVE-2017-5551,CVE-2017-5576,CVE-2017-5577,CVE-2017-5897,CVE-2017-5970,CVE-2017-5986
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP2 (src):    kernel-default-4.4.49-92.11.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    kernel-docs-4.4.49-92.11.3, kernel-obs-build-4.4.49-92.11.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    kernel-default-4.4.49-92.11.1, kernel-source-4.4.49-92.11.1, kernel-syms-4.4.49-92.11.1
SUSE Linux Enterprise Server 12-SP2 (src):    kernel-default-4.4.49-92.11.1, kernel-source-4.4.49-92.11.1, kernel-syms-4.4.49-92.11.1
SUSE Linux Enterprise Live Patching 12 (src):    kgraft-patch-SLE12-SP2_Update_5-1-6.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    kernel-default-4.4.49-92.11.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    kernel-default-4.4.49-92.11.1, kernel-source-4.4.49-92.11.1, kernel-syms-4.4.49-92.11.1
OpenStack Cloud Magnum Orchestration 7 (src):    kernel-default-4.4.49-92.11.1
Comment 10 Cédric Bosdonnat 2017-03-24 08:34:46 UTC
Marcus, can we close this bug?
Comment 11 Marcus Meissner 2017-03-30 14:45:04 UTC

(usually if you submit everything you can reassign the bug to security-team)
Comment 12 Bernhard Wiedemann 2017-11-15 15:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (1010933) was mentioned in
https://build.opensuse.org/request/show/542066 15.0 / lxc