Bug 1206370 - (CVE-2022-4318) VUL-0: CVE-2022-4318: cri-o: /etc/passwd tampering privesc
VUL-0: CVE-2022-4318: cri-o: /etc/passwd tampering privesc
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Jeff Kowalczyk
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2022-12-13 12:34 UTC by Thomas Leroy
Modified: 2022-12-14 09:18 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Leroy 2022-12-13 12:34:24 UTC

Tested with OCP 4.10.0-0.okd-2022-06-10-131327 & 4.11.7

It is possible to craft an environment variable with newlines to add entries to /etc/passwd. Using the default SCC prevents the privesc (so reducing impact to moderate). Better to sanitize the home directory. 

Using non-default SCC (anyuid, for example) does allow the process to become root on the host. As the container author, you could already just add the problematic line into /etc/passwd rather that injecting it into the HOME environment variable. Thus, impact is moderate as exploitation is unlikely, limiting impact to confidentiality. However, the input should be sanitized and this should be fixed.