Bug 1206370 – VUL-0: CVE-2022-4318: cri-o: /etc/passwd tampering privesc

Bug 1206370 - (CVE-2022-4318) VUL-0: CVE-2022-4318: cri-o: /etc/passwd tampering privesc

(CVE-2022-4318)
Summary:	VUL-0: CVE-2022-4318: cri-o: /etc/passwd tampering privesc

Status:	NEW

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Jeff Kowalczyk
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/350358/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-12-13 12:34 UTC by Thomas Leroy
Modified:	2022-12-14 09:18 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Thomas Leroy 2022-12-13 12:34:24 UTC

rh#2152703

Tested with OCP 4.10.0-0.okd-2022-06-10-131327 & 4.11.7

It is possible to craft an environment variable with newlines to add entries to /etc/passwd. Using the default SCC prevents the privesc (so reducing impact to moderate). Better to sanitize the home directory. 

Using non-default SCC (anyuid, for example) does allow the process to become root on the host. As the container author, you could already just add the problematic line into /etc/passwd rather that injecting it into the HOME environment variable. Thus, impact is moderate as exploitation is unlikely, limiting impact to confidentiality. However, the input should be sanitized and this should be fixed.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=2152703
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-4318