Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 23 Nov 2016 10:53:20 -0600
From: Tyler Hicks <tyhicks@...onical.com>
To: oss-security@...ts.openwall.com
Cc: Roman Fiedler <roman.fiedler@....ac.at>,
 St├ęphane Graber <stgraber@...ntu.com>,
 "Eric W. Biederman" <ebiederm@...ssion.com>
Subject: Security issue in LXC (CVE-2016-8649) with additional Linux kernel
 implications

Roman Fiedler from AIT discovered that a malicious root user in an LXC
container can ptrace the connecting lxc-attach process and then
manipulate it.

CVE-2016-8649
https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c
https://launchpad.net/bugs/1639345

CVE-2016-8649 was assigned to the issue that allows an attacker inside
of an unprivileged container to use an inherited file descriptor, of the
host's /proc, to access the rest of the host's filesystem via the
openat() family of syscalls. The file descriptor is needed to write to
/proc/<PID>/attr/current or /proc/<PID>/attr/exec to set the
AppArmor/SELinux label of the attached process. The LXC upstream
developers have developed a patch to protect against this attack by only
passing a file descriptor of either the current or exec file itself.


There's also an additional attack where a malicious root user in an
unprivileged container can ptrace the connecting lxc-attach process and
bypass the AppArmor/SELinux confinement completely and/or prevent
lxc-attach from dropping privileges (privileges equal to the user that
initial ran lxc-attach). To fix that issue, a kernel patch is needed to
prevent such a ptrace operation. The LXC upstream developers report that
the following patch from Eric Biederman prevents this attack:

https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-next&id=2e41414828bb0b066bde2f156cfa848c38531edf

The kernel patch has not yet been merged and, as far as I know, is not
associated with any CVE. The Ubuntu Kernel team reports that it fixes
the disputed CVE-2015-8709, in addition to the issue described above,
but I do not believe that they are the same issue.

I'm not sure if a CVE should be assigned for this kernel issue. At
this point, I don't understand the full impact of that kernel change
well enough to put together a meaningful CVE request. Suggestions/ideas
are welcome.

The LXC fix for CVE-2016-8649 that withholds the /proc fd from the
connecting lxc-attach process mitigates the kernel issue in that it,
even though the malicious root user in the container can bypass MAC
confinement and/or prevent privilege dropping, there's no obvious way to
access or modify the host filesystem.

Tyler



Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ