Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 27 Jul 2016 13:27:08 -0400
From: Daniel J Walsh <dwalsh@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: Re: cve request: systemd-machined: information
 exposure for docker containers



On 07/27/2016 01:05 PM, Christian Rebischke wrote:
> On Tue, Jul 26, 2016 at 03:24:13PM -0400, cve-assign@...re.org wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA256
>>
>>> Once docker containers register themselves to systemd-machined
>>> by oci-register-machine. Any unprivileged user could run
>>> machinectl to list every single containers running in the host
>>> even if the containers do not belong to this user (including containers
>>> belong to the root user), and access sensitive information associated
>>> with any individual container including its internal IP address, OS
>>> version, running processes, and file path for its rootfs.
>>>
>>> $ machinectl status cc8d10c7b9892b75843d200d54d34a3a
>>> cc8d10c7b9892b75843d200d54d34a3a(63633864313063376239383932623735)
>>>            Since: Mon 2016-07-25 17:55:36 UTC; 34s ago
>>>           Leader: 43494 (sleep)
>>>          Service: docker; class container
>>>             Root: /var/mnt/overlay/overlay/0429684e3da515ae4f11b8514c7b20f759613
>>>          Address: 172.17.0.2
>>>                   fe80::42:acff:fe11:2
>>>               OS: Red Hat Enterprise Linux Server 7.2 (Maipo)
>>>             Unit: docker-cc8d10c7b9892b75843d200d54d34a3a9435fe0f65527c254ebfd2d
>>>                   43494 sleep 3000
>> Use CVE-2016-6349.
> Hello,
> I don't think that the bug for this problem lies in systemd.
> It's more a design mistake in docker or oci-register-machine.
> I have forwarded this issue to the systemd developer team and I don't
> think they will fix this in the future. In their opinion it's a
> bug in docker or oci-register-machine:
>
> https://github.com/systemd/systemd/issues/3815
>
> by the way.. I would feel glad if the security researchers would first
> message the developers and then assign a CVE a bug. This is the normal
> way for a full disclosure.
>
> best regards,
>
> Christian Rebischke
Why is this a bug in oci-register-machine?  All it is doing is calling
the systemd-machine call to register with it using the three flags
available.
Is systemd saying we should not use that call?

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ