Privilege Escalation Affecting github.com/opencontainers/runc/libcontainer Open this link in a new tab package, versions <1.0.0-rc91


0.0
medium
  • Attack Complexity

    High

  • Privileges Required

    High

  • Confidentiality

    High

  • Integrity

    High

  • Availability

    High

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • snyk-id

    SNYK-GOLANG-GITHUBCOMOPENCONTAINERSRUNCLIBCONTAINER-575144

  • published

    2 Jul 2020

  • disclosed

    2 Jul 2020

  • credit

    cyphar

Introduced: 2 Jul 2020

CWE-264 Open this link in a new tab

How to fix?

Upgrade github.com/opencontainers/runc/libcontainer to version 1.0.0-rc91 or higher.

Overview

github.com/opencontainers/runc/libcontainer is a package for a modern container runtime.

Affected versions of this package are vulnerable to Privilege Escalation. runc's implementation of the linux.resources.devices list was a black-list by default. This means that users who created their own config.json objects and didn't prefix a deny-all rule ({"allow": false, "permissions": "rwm"} or equivalent) were not provided protection by the devices cgroup. This would allow malicious containers (with sufficient privileges) to create arbitrary device inodes (assuming they have CAP_MKNOD) and operate on any device inodes they may have access to (assuming they have regular Unix DAC permissions).

However, most (if not all) programs that make use of runc include this deny-all rule. This was most likely added before the specification mandated a white-list of devices, and the fact that all programs wrote their own deny-all rule obscured the existence of this bug for several years. In fact, even the specification's examples include a default deny-all rule! We therefore believe that while this is a security bug (and has been fixed as such), it was almost certainly not exploitable in the wild due to the inclusion of default deny-all rules by all known users of runc -- hence why this advisory has low severity.