gsd-2020-15257
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.
Aliases
Aliases



{
  "GSD": {
    "alias": "CVE-2020-15257",
    "description": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container.",
    "id": "GSD-2020-15257",
    "references": [
      "https://www.suse.com/security/cve/CVE-2020-15257.html",
      "https://www.debian.org/security/2021/dsa-4865",
      "https://ubuntu.com/security/CVE-2020-15257",
      "https://security.archlinux.org/CVE-2020-15257",
      "https://alas.aws.amazon.com/cve/html/CVE-2020-15257.html",
      "https://linux.oracle.com/cve/CVE-2020-15257.html",
      "https://access.redhat.com/errata/RHSA-2022:2183"
    ]
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2020-15257"
      ],
      "details": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container.",
      "id": "GSD-2020-15257",
      "modified": "2023-12-13T01:21:43.415861Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "security-advisories@github.com",
        "ID": "CVE-2020-15257",
        "STATE": "PUBLIC",
        "TITLE": "containerd-shim API Exposed to Host Network Containers"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "containerd",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "\u003c 1.3.9"
                        },
                        {
                          "version_value": "\u003e= 1.4.0, \u003c 1.4.3"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "containerd"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container."
          }
        ]
      },
      "impact": {
        "cvss": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "NONE",
          "baseScore": 5.2,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "LOW",
          "scope": "CHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
          "version": "3.1"
        }
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "CWE-669 Incorrect Resource Transfer Between Spheres"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4",
            "refsource": "CONFIRM",
            "url": "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4"
          },
          {
            "name": "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad",
            "refsource": "MISC",
            "url": "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad"
          },
          {
            "name": "https://github.com/containerd/containerd/releases/tag/v1.4.3",
            "refsource": "MISC",
            "url": "https://github.com/containerd/containerd/releases/tag/v1.4.3"
          },
          {
            "name": "FEDORA-2020-baeb8dbaea",
            "refsource": "FEDORA",
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/"
          },
          {
            "name": "DSA-4865",
            "refsource": "DEBIAN",
            "url": "https://www.debian.org/security/2021/dsa-4865"
          },
          {
            "name": "GLSA-202105-33",
            "refsource": "GENTOO",
            "url": "https://security.gentoo.org/glsa/202105-33"
          }
        ]
      },
      "source": {
        "advisory": "GHSA-36xw-fx78-c5r4",
        "discovery": "UNKNOWN"
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003cv1.3.9 || \u003e=v1.4.0 \u003cv1.4.3",
          "affected_versions": "All versions before 1.3.9, all versions starting from 1.4.0 before 1.4.3",
          "cvss_v2": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-669",
            "CWE-937"
          ],
          "date": "2021-05-26",
          "description": "The containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective `UID` of `0`, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective `UID` of `0` but otherwise reduced privileges, to cause new processes to be run with elevated privileges.",
          "fixed_versions": [
            "v1.3.9",
            "v1.4.3"
          ],
          "identifier": "CVE-2020-15257",
          "identifiers": [
            "CVE-2020-15257",
            "GHSA-36xw-fx78-c5r4"
          ],
          "not_impacted": "All versions starting from 1.3.9 before 1.4.0, all versions starting from 1.4.3",
          "package_slug": "go/github.com/containerd/containerd",
          "pubdate": "2020-12-01",
          "solution": "Upgrade to versions 1.3.9, 1.4.3 or above.",
          "title": "Incorrect Resource Transfer Between Spheres",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2020-15257"
          ],
          "uuid": "7a48c123-2cb7-4981-b3dc-fed994b8522a",
          "versions": [
            {
              "commit": {
                "sha": "9f6249ab49862f61fec54c423f21b464ed71a2a0",
                "tags": [
                  "v1.4.0"
                ],
                "timestamp": "20200817144132"
              },
              "number": "v1.4.0"
            },
            {
              "commit": {
                "sha": "288632790ffc8b5156e0349efd16edabd55a460c",
                "tags": [
                  "v1.3.9"
                ],
                "timestamp": "20201130183218"
              },
              "number": "v1.3.9"
            },
            {
              "commit": {
                "sha": "6806845b4f638417933f68721e289c9aeda456b1",
                "tags": [
                  "v1.4.3"
                ],
                "timestamp": "20201130183218"
              },
              "number": "v1.4.3"
            }
          ]
        },
        {
          "affected_range": "\u003c1.2.0||\u003e=1.3.0 \u003c1.3.9||\u003e=1.4.0 \u003c1.4.3",
          "affected_versions": "All versions before 1.2.0, all versions starting from 1.3.0 before 1.3.9, all versions starting from 1.4.0 before 1.4.3",
          "cvss_v2": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-669",
            "CWE-937"
          ],
          "date": "2021-05-27",
          "description": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container.",
          "fixed_versions": [
            "1.2.0",
            "1.3.9",
            "1.4.3"
          ],
          "identifier": "CVE-2020-15257",
          "identifiers": [
            "GHSA-36xw-fx78-c5r4",
            "CVE-2020-15257"
          ],
          "not_impacted": "All versions starting from 1.2.0 before 1.3.0, all versions starting from 1.3.9 before 1.4.0, all versions starting from 1.4.3",
          "package_slug": "go/github.com/containerd/containerd/cmd",
          "pubdate": "2021-05-24",
          "solution": "Upgrade to versions 1.2.0, 1.3.9, 1.4.3 or above.",
          "title": "Incorrect Resource Transfer Between Spheres",
          "urls": [
            "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4",
            "https://nvd.nist.gov/vuln/detail/CVE-2020-15257",
            "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad",
            "https://github.com/containerd/containerd/releases/tag/v1.4.3",
            "https://research.nccgroup.com/2020/12/10/abstract-shimmer-cve-2020-15257-host-networking-is-root-equivalent-again/",
            "https://github.com/advisories/GHSA-36xw-fx78-c5r4"
          ],
          "uuid": "3fa601a1-9c3e-451d-9deb-3f58eb034994"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.3.9",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*",
                "cpe_name": [],
                "versionEndExcluding": "1.4.3",
                "versionStartIncluding": "1.4.0",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:fedoraproject:fedora:33:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          },
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "security-advisories@github.com",
          "ID": "CVE-2020-15257"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container\u0027s privilege, regardless of what container runtime is used for running that container."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-669"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad",
              "refsource": "MISC",
              "tags": [
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad"
            },
            {
              "name": "https://github.com/containerd/containerd/releases/tag/v1.4.3",
              "refsource": "MISC",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://github.com/containerd/containerd/releases/tag/v1.4.3"
            },
            {
              "name": "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4",
              "refsource": "CONFIRM",
              "tags": [
                "Mitigation",
                "Third Party Advisory"
              ],
              "url": "https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4"
            },
            {
              "name": "FEDORA-2020-baeb8dbaea",
              "refsource": "FEDORA",
              "tags": [
                "Mailing List",
                "Third Party Advisory"
              ],
              "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD/"
            },
            {
              "name": "DSA-4865",
              "refsource": "DEBIAN",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://www.debian.org/security/2021/dsa-4865"
            },
            {
              "name": "GLSA-202105-33",
              "refsource": "GENTOO",
              "tags": [
                "Third Party Advisory"
              ],
              "url": "https://security.gentoo.org/glsa/202105-33"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "acInsufInfo": false,
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "availabilityImpact": "NONE",
            "baseScore": 3.6,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 3.9,
          "impactScore": 4.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": false
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 5.2,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "CHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 2.0,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2022-01-01T18:11Z",
      "publishedDate": "2020-12-01T03:15Z"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading...

Loading...

Loading...

Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.