Date: Wed, 23 Nov 2016 10:53:20 -0600 From: Tyler Hicks <tyhicks@...onical.com> To: oss-security@...ts.openwall.com Cc: Roman Fiedler <roman.fiedler@....ac.at>, Stéphane Graber <stgraber@...ntu.com>, "Eric W. Biederman" <ebiederm@...ssion.com> Subject: Security issue in LXC (CVE-2016-8649) with additional Linux kernel implications Roman Fiedler from AIT discovered that a malicious root user in an LXC container can ptrace the connecting lxc-attach process and then manipulate it. CVE-2016-8649 https://github.com/lxc/lxc/commit/81f466d05f2a89cb4f122ef7f593ff3f279b165c https://launchpad.net/bugs/1639345 CVE-2016-8649 was assigned to the issue that allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat() family of syscalls. The file descriptor is needed to write to /proc/<PID>/attr/current or /proc/<PID>/attr/exec to set the AppArmor/SELinux label of the attached process. The LXC upstream developers have developed a patch to protect against this attack by only passing a file descriptor of either the current or exec file itself. There's also an additional attack where a malicious root user in an unprivileged container can ptrace the connecting lxc-attach process and bypass the AppArmor/SELinux confinement completely and/or prevent lxc-attach from dropping privileges (privileges equal to the user that initial ran lxc-attach). To fix that issue, a kernel patch is needed to prevent such a ptrace operation. The LXC upstream developers report that the following patch from Eric Biederman prevents this attack: https://git.kernel.org/cgit/linux/kernel/git/ebiederm/user-namespace.git/commit/?h=for-next&id=2e41414828bb0b066bde2f156cfa848c38531edf The kernel patch has not yet been merged and, as far as I know, is not associated with any CVE. The Ubuntu Kernel team reports that it fixes the disputed CVE-2015-8709, in addition to the issue described above, but I do not believe that they are the same issue. I'm not sure if a CVE should be assigned for this kernel issue. At this point, I don't understand the full impact of that kernel change well enough to put together a meaningful CVE request. Suggestions/ideas are welcome. The LXC fix for CVE-2016-8649 that withholds the /proc fd from the connecting lxc-attach process mitigates the kernel issue in that it, even though the malicious root user in the container can bypass MAC confinement and/or prevent privilege dropping, there's no obvious way to access or modify the host filesystem. Tyler Download attachment "signature.asc" of type "application/pgp-signature" (802 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.