Описание
Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP)
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2017-16539
- https://github.com/moby/moby/pull/35399
- https://github.com/moby/moby/commit/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
- https://marc.info/?l=linux-scsi&m=150985062200941&w=2
- https://marc.info/?l=linux-scsi&m=150985455801444&w=2
- https://twitter.com/ewindisch/status/926443521820774401
Пакеты
github.com/moby/moby
< 17.12.0-ce
17.12.0-ce
Связанные уязвимости
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby throug ...
Security update for docker, docker-runc, containerd, golang-github-docker-libnetwork