Описание
containerd affected by a local privilege escalation via wide permissions on CRI directory
Impact
An overly broad default permission vulnerability was found in containerd.
/var/lib/containerdwas created with the permission bits 0o711, while it should be created with 0o700- Allowed local users on the host to potentially access the metadata store and the content store
/run/containerd/io.containerd.grpc.v1.criwas created with 0o755, while it should be created with 0o700- Allowed local users on the host to potentially access the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.
/run/containerd/io.containerd.sandbox.controller.v1.shimwas created with 0o711, while it should be created with 0o700
The directory paths may differ depending on the daemon configuration.
When the temp directory path is specified in the daemon configuration, that directory was also created with 0o711, while it should be created with 0o700.
Patches
This bug has been fixed in the following containerd versions:
- 2.2.0
- 2.1.5
- 2.0.7
- 1.7.29
Users should update to these versions to resolve the issue. These updates automatically change the permissions of the existing directories.
[!NOTE]
/run/containerdand/run/containerd/io.containerd.runtime.v2.taskare still created with 0o711. This is an expected behavior for supporting userns-remapped containers.
Workarounds
The system administrator on the host can manually chmod the directories to not have group or world accessible permisisons:
An alternative mitigation would be to run containerd in rootless mode.
Credits
The containerd project would like to thank David Leadbeater for responsibly disclosing this issue in accordance with the containerd security policy.
For more information
If you have any questions or comments about this advisory:
- Open an issue in containerd
- Email us at security@containerd.io
To report a security issue in containerd:
Пакеты
github.com/containerd/containerd
< 1.7.29
1.7.29
github.com/containerd/containerd/v2
< 2.0.7
2.0.7
github.com/containerd/containerd/v2
>= 2.1.0-beta.0, < 2.1.5
2.1.5
github.com/containerd/containerd/v2
>= 2.2.0-beta.0, < 2.2.0
2.2.0
Связанные уязвимости
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.
containerd affected by a local privilege escalation via wide permissions on CRI directory
containerd is an open-source container runtime. Versions 0.1.0 through ...
