Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20211206045814.q3o5m32osc37ra4o@senku>
Date: Mon, 6 Dec 2021 15:58:14 +1100
From: Aleksa Sarai <cyphar@...har.com>
To: oss-security@...ts.openwall.com
Subject: CVE-2021-43784: integer overflow in runc's netlink bytemsg allows
 malicious configuration to discreetly modify container configuration

GitHub Advisory:
  <https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f>

This vulnerability was originally thought to be exploitable in released
versions of runc and thus a CVE was assigned (though it was thought to
be more difficult than with the yet-unreleased runc tree), but
subsequent analysis found that it appears to never have been exploitable
outside of the yet-unreleased runc tree.

However, out of an abundance of caution we still followed through with
an emergency release of runc 1.0.3[2] which resolves this issue.

[ Impact ]

In runc, netlink is used internally as a serialization system for
specifying the relevant container configuration to the C portion of our
code (responsible for the based namespace setup of containers). In all
versions of runc prior to 1.0.3, the encoder did not handle the
possibility of an integer overflow in the 16-bit length field for the
byte array attribute type, meaning that a large enough malicious byte
array attribute could result in the length overflowing and the attribute
contents being parsed as netlink messages for container configuration.

This vulnerability requires the attacker to have some control over the
configuration of the container and would allow the attacker to bypass
the namespace restrictions of the container by simply adding their own
netlink payload which disables all namespaces.

Prior to 9c44407, in practice it was fairly difficult to specify an
arbitrary-length netlink message with most container runtimes. The only
user-controlled byte array was the namespace paths attributes which can
be specified in runc's config.json, but as far as we can tell no
container runtime gives raw access to that configuration setting -- and
having raw access to that setting would allow the attacker to disable
namespace protections entirely anyway (setting them to /proc/1/ns/...
for instance). In addition, each namespace path is limited to 4096 bytes
(with only 7 namespaces supported by runc at the moment) meaning that
even with custom namespace paths it appears an attacker still cannot
shove enough bytes into the netlink bytemsg in order to overflow the
uint16 counter.

However, out of an abundance of caution (given how old this bug is) we
decided to treat it as a potentially exploitable vulnerability with a
low severity. After 9c44407 (which was not present in any release of
runc prior to the discovery of this bug), all mount paths are included
as a giant netlink message which means that this bug becomes
significantly more exploitable in more reasonable threat scenarios.

The main users impacted are those who allow untrusted images with
untrusted configurations to run on their machines (such as with shared
cloud infrastructure), though as mentioned above it appears this bug was
not practically exploitable on any released version of runc to date.

[ Patches ]

The patch for this is commit d72d057[1] and runc 1.0.3[2] was released with
this bug fixed.

[ Workarounds ]

To the extent this is exploitable, disallowing untrusted namespace paths
in container configuration should eliminate all practical ways of
exploiting this bug. It should be noted that untrusted namespace paths
would allow the attacker to disable namespace protections entirely even
in the absence of this bug.

[ Credits ]

Thanks for Felix Wilhelm from Google Project Zero for discovering this
vulnerability.

[1]: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
[2]: https://github.com/opencontainers/runc/releases/tag/v1.0.3

-- 
Aleksa Sarai
Senior Software Engineer (Containers)
SUSE Linux GmbH
<https://www.cyphar.com/>

Download attachment "signature.asc" of type "application/pgp-signature" (229 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.