Date: Wed, 23 Nov 2016 10:53:20 -0600 From: Tyler Hicks <tyhicks@...onical.com> To: oss-security@...ts.openwall.com Cc: Roman Fiedler <roman.fiedler@....ac.at>, Stéphane Graber <stgraber@...ntu.com>, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Security issue in LXC (CVE-2016-8649) with additional Linux kernel implications Roman Fiedler from AIT discovered that a malicious root user in an LXC container can ptrace the connecting lxc-attach process and then manipulate it. CVE-2016-8649 https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c https://launchpad.net/bugs/1639345 CVE-2016-8649 was assigned to the issue that allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat() family of syscalls. The file descriptor is needed to write to /proc/<PID>/attr/current or /proc/<PID>/attr/exec to set the AppArmor/SELinux label of the attached process. The LXC upstream developers have developed a patch to protect against this attack by only passing a file descriptor of either the current or exec file itself. There's also an additional attack where a malicious root user in an unprivileged container can ptrace the connecting lxc-attach process and bypass the AppArmor/SELinux confinement completely and/or prevent lxc-attach from dropping privileges (privileges equal to the user that initial ran lxc-attach). To fix that issue, a kernel patch is needed to prevent such a ptrace operation. The LXC upstream developers report that the following patch from Eric Biederman prevents this attack: https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-next&id=2e41414828bb0b066bde2f156cfa848c38531edf The kernel patch has not yet been merged and, as far as I know, is not associated with any CVE. The Ubuntu Kernel team reports that it fixes the disputed CVE-2015-8709, in addition to the issue described above, but I do not believe that they are the same issue. I'm not sure if a CVE should be assigned for this kernel issue. At this point, I don't understand the full impact of that kernel change well enough to put together a meaningful CVE request. Suggestions/ideas are welcome. The LXC fix for CVE-2016-8649 that withholds the /proc fd from the connecting lxc-attach process mitigates the kernel issue in that it, even though the malicious root user in the container can bypass MAC confinement and/or prevent privilege dropping, there's no obvious way to access or modify the host filesystem. Tyler Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ