====================================================================

                             CERT-Renater

                 Note d'Information No. 2020/VULN576
_____________________________________________________________________

DATE                : 16/10/2020

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running containerd versions prior to
                                     1.2.14, 1.3.

=====================================================================
https://github.com/containerd/containerd/security/advisories/GHSA-742w-89gc-8m9c
_____________________________________________________________________


containerd v1.2.x can be coerced into leaking credentials during image pull

dmcgowan published GHSA-742w-89gc-8m9c Oct 15, 2020


Severity
    moderate

Affected versions
    < 1.3.0

Patched versions
    1.2.14

CVE identifier
    CVE-2020-15157


Impact

If a container image manifest in the OCI Image format or Docker Image V2
Schema 2 format includes a URL for the location of a specific image
layer (otherwise known as a “foreign layer”), the default containerd
resolver will follow that URL to attempt to download it. In v1.2.x but
not 1.3.0 or later, the default containerd resolver will provide its
authentication credentials if the server where the URL is located
presents an HTTP 401 status code along with registry-specific HTTP
headers.

If an attacker publishes a public image with a manifest that directs one
of the layers to be fetched from a web server they control and they
trick a user or system into pulling the image, they can obtain the
credentials used for pulling that image. In some cases, this may be the
user's username and password for the registry. In other cases, this may
be the credentials attached to the cloud virtual instance which can
grant access to other cloud resources in the account.

The default containerd resolver is used by the cri-containerd plugin
(which can be used by Kubernetes), the ctr development tool, and other
client programs that have explicitly linked against it.

This vulnerability has been rated by the containerd maintainers as
medium, with a CVSS score of 6.1 and a vector string of
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:N/A:N.


Patches

This vulnerability has been fixed in containerd 1.2.14. containerd 1.3
and later are not affected.


Workarounds

If you are using containerd 1.3 or later, you are not affected. If you
are using cri-containerd in the 1.2 series or prior, you should ensure
you only pull images from trusted sources. Other container runtimes
built on top of containerd but not using the default resolver (such as
Docker) are not affected.


Credits

The containerd maintainers would like to thank Brad Geesaman, Josh
Larsen, Ian Coldwater, Duffie Cooley, and Rory McCune for responsibly
disclosing this issue in accordance with the containerd security policy.


Credits

    @bgeesaman bgeesaman Brad Geesaman
    @joshlarsen joshlarsen Josh Larsen
    @IanColdwater IanColdwater Ian Coldwater
    @mauilion mauilion Duffie Cooley
    @raesene raesene Rory McCune



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================