===================================================================== CERT-Renater Note d'Information No. 2023/VULN129 _____________________________________________________________________ DATE : 29/03/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running runc versions prior to 1.1.5. ===================================================================== https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc _____________________________________________________________________ AppArmor/SELinux bypass with symlinked /proc Moderate cyphar published GHSA-g2j6-57v7-gm8c Package runc Affected versions < 1.1.5 Patched versions 1.1.5 Description Impact It was found that AppArmor, and potentially SELinux, can be bypassed when /proc inside the container is symlinked with a specific mount configuration. Patches Fixed in runc v1.1.5, by prohibiting symlinked /proc: #3785 This PR fixes CVE-2023-27561 as well. Workarounds Avoid using an untrusted container image. Severity Moderate 6.1/ 10 CVSS base metrics Attack vector Local Attack complexity Low Privileges required None User interaction Required Scope Changed Confidentiality Low Integrity Low Availability Low CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVE ID CVE-2023-28642 Weaknesses No CWEs Credits @ssst0n3 ssst0n3 _____________________________________________________________________ rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared Low cyphar published GHSA-m8cg-xc2p-r3fc Package runc Affected versions < 1.1.5 Patched versions 1.1.5 Description Impact It was found that rootless runc makes /sys/fs/cgroup writable in following conditons: when runc is executed inside the user namespace, and the config.json does not specify the cgroup namespace to be unshared (e.g.., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl) or, when runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is very rare) A container may gain the write access to user-owned cgroup hierarchy /sys/fs/cgroup/user.slice/... on the host . Other users's cgroup hierarchies are not affected. Patches v1.1.5 (planned) Workarounds Condition 1: Unshare the cgroup namespace ((docker|podman|nerdctl) run --cgroupns=private). This is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts. Condition 2 (very rare): add /sys/fs/cgroup to maskedPaths Severity Low 2.5/ 10 CVSS base metrics Attack vector Local Attack complexity High Privileges required High User interaction None Scope Changed Confidentiality None Integrity None Availability Low CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L CVE ID CVE-2023-25809 Weaknesses No CWEs Credits @AkihiroSuda AkihiroSuda ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================