Описание
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to disable-sudo bypass. Harden-Runner includes a policy option disable-sudo to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. This issue has been patched in version 2.12.0.
Меры по смягчению последствий
This vulnerability has been fixed in Harden-Runner version v2.12.0. Users should migrate to the stronger disable-sudo-and-containers policy. This setting: • Disables sudo access, • Removes access to dockerd and containerd sockets, • Uninstalls Docker from the runner entirely, preventing container-based privilege escalation paths.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/pathservice-rhel9 | Fix deferred | ||
| Red Hat Enterprise Linux AI (RHEL AI) | rhelai1/ui-rhel9 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-gateway-opa-rhel8 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-gateway-rhel8 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-jaeger-query-rhel8 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-operator-bundle | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-query-rhel8 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-rhel8 | Fix deferred | ||
| Red Hat OpenShift distributed tracing 3 | rhosdt/tempo-rhel8-operator | Fix deferred |
Показывать по
Ссылки на источники
Дополнительная информация
Статус:
EPSS
6 Medium
CVSS3
Связанные уязвимости
Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to `disable-sudo` bypass. Harden-Runner includes a policy option `disable-sudo` to prevent the GitHub Actions runner user from using sudo. This is implemented by removing the runner user from the sudoers file. However, this control can be bypassed as the runner user, being part of the docker group, can interact with the Docker daemon to launch privileged containers or access the host filesystem. This allows the attacker to regain root access or restore the sudoers file, effectively bypassing the restriction. This issue has been patched in version 2.12.0.
Harden-Runner allows evasion of 'disable-sudo' policy
EPSS
6 Medium
CVSS3