Описание
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
Отчет
Red Hat Product Security has rated this vulnerability as low severity for affected products which run on OpenShift. The vulnerability allows for potential privilege escalation within a container, but OpenShift's default, multi-layered security posture effectively mitigates this risk. The primary controls include the default Security Context Constraints (SCC), which severely limit a container's permissions from the start, and SELinux, which enforces mandatory access control to ensure strict isolation. While other container runtime environments may have different controls available and require case-by-case analysis, OpenShift's built-in defenses are designed to prevent this type of attack.
Меры по смягчению последствий
In Red Hat OpenShift Container Platform, the following default configurations reduce the impact of this vulnerability. Security Context Constraints (SCCs): The default SCC, Restricted-v2, applies several crucial security settings to containers. Capabilities: drop: ALL removes all Linux capabilities, including SETUID and SETGID. This prevents a process from changing its user or group ID, a common step in privilege escalation attacks. The SETUID and SETGID capabilities can also be dropped explicitly if other capabilities are still required. allowPrivilegeEscalation: false ensures that a process cannot gain more privileges than its parent process. This blocks attempts by a compromised container process to grant itself additional capabilities. SELinux Mandatory Access Control (MAC): Pods are required to run with a pre-allocated Multi-Category Security (MCS) label. This SELinux feature provides a strong layer of isolation between containers and from the host system. A properly configured SELinux policy can prevent a container escape, even if an attacker gains elevated permissions within the container itself. Filesystem Hardening: While not a default setting, a common security practice is to set readOnlyRootFilesystem: true in a container's security context. In this specific scenario, this configuration would prevent an attacker from modifying critical files like /etc/passwd, even if they managed to gain file-level write permissions.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| File Integrity Operator | compliance/openshift-file-integrity-operator-bundle | Affected | ||
| File Integrity Operator | compliance/openshift-file-integrity-rhel8-operator | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/addon-manager-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/addon-manager-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/clusterlifecycle-state-metrics-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/clusterlifecycle-state-metrics-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/discovery-rhel8 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/discovery-rhel9 | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hypershift-addon-rhel8-operator | Affected | ||
| Multicluster Engine for Kubernetes | multicluster-engine/hypershift-addon-rhel9-operator | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
5.2 Medium
CVSS3
Связанные уязвимости
Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file is created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.
operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd
EPSS
5.2 Medium
CVSS3