Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <ZtcMUR8Leae-eUIM@dojo.mi.org>
Date: Tue, 3 Sep 2024 09:17:05 -0400
From: "Mike O'Connor" <mjo@...o.mi.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-2024-45310: runc can be tricked into creating
 empty files/directories on host

:Due to the low severity of this CVE, this security patch is being released with
:NO embargo period.
:
:[ Summary ]
:
:runc 1.1.13 and earlier as well as 1.2.0-rc2 and earlier can be tricked into
:creating empty files or directories in arbitrary locations in the host
:filesystem by sharing a volume between two containers and exploiting a race
:with os.MkdirAll. While this can be used to create empty files, existing
:files **will not** be truncated.
:
:An attacker must have the ability to start containers using some kind of custom
:volume configuration. Containers using user namespaces are still affected, but
:the scope of places an attacker can create inodes can be significantly reduced.
:Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block
:this attack -- we suspect the industry standard SELinux policy may restrict
:this attack's scope but the exact scope of protection hasn't been analysed.
:
:This is exploitable using runc directly as well as through Docker and
:Kubernetes.
:
:The CVSS score for this vulnerability is
:CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N (Low severity, 3.6).

While I suspect there's enough mitigating factors for this vuln to
truly be low severity, proving that arbitrary file creation isn't
super-severe (let alone risky) can be hard.  I'm thinking of the Palo
Alto mess CVE-2024-3400 from a few months back, where such behavior
was thought to not be as big of a deal...  until it was.

What is the security impact of creating an empty /etc/nologin?  Or an
empty override file that might cause some systemd service (e.g. some
firewall setup) to not to run upon reboot/restart?  Have there been OS
assessments about where empty arbitrarily-named files can do the most
disruption?  Maybe a title like:

     touch considered harmful: How the presence of a file can change
     OS and application behavior and make your head hurt

Sure, there's predictable tmp, and the impact of removing/overwriting
files is pretty obvious.  But, this runc writeup reminded me that the
impact of arbirary file creation often gets short-changed.


Take FWIW...
-Mike

-- 
 Michael J. O'Connor                                          mjo@...o.mi.org
 =--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--==--=
"I buy expensive suits. They just look cheap on me."          -Warren Buffett

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.