CVE-2020-15257
Vulnerability from cvelistv5
Published
2020-12-01 02:30
Modified
2024-08-04 13:15
Severity ?
EPSS score ?
Summary
containerd-shim API Exposed to Host Network Containers
References
Impacted products
▼ | Vendor | Product |
---|---|---|
containerd | containerd |
{ "containers": { "adp": [ { "providerMetadata": { "dateUpdated": "2024-08-04T13:15:19.030Z", "orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE" }, "references": [ { "tags": [ "x_refsource_CONFIRM", "x_transferred" ], "url": "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad" }, { "tags": [ "x_refsource_MISC", "x_transferred" ], "url": "https://github.com/containerd/containerd/releases/tag/v1.4.3" }, { "name": "FEDORA-2020-baeb8dbaea", "tags": [ "vendor-advisory", "x_refsource_FEDORA", "x_transferred" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/" }, { "name": "DSA-4865", "tags": [ "vendor-advisory", "x_refsource_DEBIAN", "x_transferred" ], "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202105-33", "tags": [ "vendor-advisory", "x_refsource_GENTOO", "x_transferred" ], "url": "https://security.gentoo.org/glsa/202105-33" } ], "title": "CVE Program Container" } ], "cna": { "affected": [ { "product": "containerd", "vendor": "containerd", "versions": [ { "status": "affected", "version": "\u003c 1.3.9" }, { "status": "affected", "version": "\u003e= 1.4.0, \u003c 1.4.3" } ] } ], "descriptions": [ { "lang": "en", "value": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container." } ], "metrics": [ { "cvssV3_1": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1" } } ], "problemTypes": [ { "descriptions": [ { "cweId": "CWE-669", "description": "CWE-669 Incorrect Resource Transfer Between Spheres", "lang": "en", "type": "CWE" } ] } ], "providerMetadata": { "dateUpdated": "2021-05-26T11:08:46", "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M" }, "references": [ { "tags": [ "x_refsource_CONFIRM" ], "url": "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad" }, { "tags": [ "x_refsource_MISC" ], "url": "https://github.com/containerd/containerd/releases/tag/v1.4.3" }, { "name": "FEDORA-2020-baeb8dbaea", "tags": [ "vendor-advisory", "x_refsource_FEDORA" ], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/" }, { "name": "DSA-4865", "tags": [ "vendor-advisory", "x_refsource_DEBIAN" ], "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202105-33", "tags": [ "vendor-advisory", "x_refsource_GENTOO" ], "url": "https://security.gentoo.org/glsa/202105-33" } ], "source": { "advisory": "GHSA-36xw-fx78-c5r4", "discovery": "UNKNOWN" }, "title": "containerd-shim API Exposed to Host Network Containers", "x_legacyV4Record": { "CVE_data_meta": { "ASSIGNER": "security-advisories@github.com", "ID": "CVE-2020-15257", "STATE": "PUBLIC", "TITLE": "containerd-shim API Exposed to Host Network Containers" }, "affects": { "vendor": { "vendor_data": [ { "product": { "product_data": [ { "product_name": "containerd", "version": { "version_data": [ { "version_value": "\u003c 1.3.9" }, { "version_value": "\u003e= 1.4.0, \u003c 1.4.3" } ] } } ] }, "vendor_name": "containerd" } ] } }, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": { "description_data": [ { "lang": "eng", "value": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container." } ] }, "impact": { "cvss": { "attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1" } }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-669 Incorrect Resource Transfer Between Spheres" } ] } ] }, "references": { "reference_data": [ { "name": "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4", "refsource": "CONFIRM", "url": "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4" }, { "name": "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad", "refsource": "MISC", "url": "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad" }, { "name": "https://github.com/containerd/containerd/releases/tag/v1.4.3", "refsource": "MISC", "url": "https://github.com/containerd/containerd/releases/tag/v1.4.3" }, { "name": "FEDORA-2020-baeb8dbaea", "refsource": "FEDORA", "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/" }, { "name": "DSA-4865", "refsource": "DEBIAN", "url": "https://www.debian.org/security/2021/dsa-4865" }, { "name": "GLSA-202105-33", "refsource": "GENTOO", "url": "https://security.gentoo.org/glsa/202105-33" } ] }, "source": { "advisory": "GHSA-36xw-fx78-c5r4", "discovery": "UNKNOWN" } } } }, "cveMetadata": { "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "assignerShortName": "GitHub_M", "cveId": "CVE-2020-15257", "datePublished": "2020-12-01T02:30:16", "dateReserved": "2020-06-25T00:00:00", "dateUpdated": "2024-08-04T13:15:19.030Z", "state": "PUBLISHED" }, "dataType": "CVE_RECORD", "dataVersion": "5.1", "meta": { "nvd": "{\"cve\":{\"id\":\"CVE-2020-15257\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2020-12-01T03:15:11.257\",\"lastModified\":\"2023-11-07T03:17:28.330\",\"vulnStatus\":\"Modified\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \\\"host\\\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container.\"},{\"lang\":\"es\",\"value\":\"containerd es un tiempo de ejecuci\u00f3n de contenedor est\u00e1ndar de la industria y est\u00e1 disponible como demonio para Linux y Windows. En containerd anterior a las versiones 1.3.9 y 1.4.3, la API containerd-shim est\u00e1 expuesta inapropiadamente a los contenedores de red del host. Los controles de acceso para el socket de la API de shim verificaron que el proceso de conexi\u00f3n tuviera un UID efectivo de 0, pero no restringieron de otra manera el acceso al socket de dominio Unix abstracto. Esto permitir\u00eda que los contenedores maliciosos se ejecuten en el mismo espacio de nombres de red que el shim, con un UID efectivo de 0 pero con privilegios reducidos, para causar que nuevos procesos se ejecuten con privilegios elevados. Esta vulnerabilidad se ha corregido en containerd versiones 1.3.9 y 1.4.3. Los usuarios deben actualizar a estas versiones tan pronto como se publiquen. Cabe se\u00f1alar que los contenedores iniciados con una versi\u00f3n anterior de containerd-shim deben detenerse y reiniciarse, ya que los contenedores en ejecuci\u00f3n seguir\u00e1n siendo vulnerables inclusive despu\u00e9s de una actualizaci\u00f3n. Si no proporciona la capacidad para que los usuarios que no son de confianza inicien contenedores en el mismo espacio de nombres de red que el shim (normalmente el espacio de nombres de red \\\"host\\\", por ejemplo, con docker run --net=host o hostNetwork: true en un pod de Kubernetes) y ejecutar con un UID efectivo de 0, no es vulnerable a este problema. Si est\u00e1 ejecutando contenedores con una configuraci\u00f3n vulnerable, puede denegar el acceso a todos los sockets abstractos con AppArmor agregando una l\u00ednea similar a denegar unix addr=@**, para su pol\u00edtica. Es una buena pr\u00e1ctica ejecutar contenedores con un conjunto reducido de privilegios, con un UID distinto de cero y con espacios de nombres aislados. Los encargados de mantenimiento de contenedores no aconsejan compartir espacios de nombres con el host. Reducir el conjunto de mecanismos de aislamiento usados para un contenedor necesariamente aumenta el privilegio de ese contenedor, independientemente del tiempo de ejecuci\u00f3n del contenedor que se use para ejecutar ese contenedor\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.2,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.0,\"impactScore\":2.7},{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"CHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\",\"baseScore\":5.2,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.0,\"impactScore\":2.7}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:P/I:P/A:N\",\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"PARTIAL\",\"integrityImpact\":\"PARTIAL\",\"availabilityImpact\":\"NONE\",\"baseScore\":3.6},\"baseSeverity\":\"LOW\",\"exploitabilityScore\":3.9,\"impactScore\":4.9,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-669\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-669\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*\",\"versionEndExcluding\":\"1.3.9\",\"matchCriteriaId\":\"AE0C7E47-205B-4949-88A5-E5885F9F3C8B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"1.4.0\",\"versionEndExcluding\":\"1.4.3\",\"matchCriteriaId\":\"043B8600-6802-4946-89C1-A3CC3FC50112\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E460AA51-FCDA-46B9-AE97-E6676AA5E194\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"07B237A9-69A3-4A9C-9DA0-4E06BD37AE73\"}]}]}],\"references\":[{\"url\":\"https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/containerd/containerd/releases/tag/v1.4.3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Mitigation\",\"Third Party Advisory\"]},{\"url\":\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://security.gentoo.org/glsa/202105-33\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]},{\"url\":\"https://www.debian.org/security/2021/dsa-4865\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Third Party Advisory\"]}]}}" } }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.