Bug 1045988 (CVE-2013-6441)

Summary: CVE-2013-6441 lxc: sshd template allow privilege escalation on host
Product: [Other] Security Response Reporter: Kurt Seifried <kseifried>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acathrow, carnil, jkurik, karlthered, libvirt-maint, pfrields, sagarun, thomas.moschny
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-23 07:02:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kurt Seifried 2013-12-23 06:58:31 UTC 
Salvatore Bonaccorso of the Debian Project reports:

Florian Sagar discovered and reported an error in the sshd template of
lxc allowing privilege escalation on the host. The error can be found
on 

https://github.com/lxc/lxc/blob/master/templates/lxc-sshd.in#L131

where the mount is not done read-only. There is already a public
pull/commit for this issue so might not anymore be embargoed (but
asking first here).

https://github.com/dotcloud/lxc/pull/1
https://github.com/usrflo/lxc/commit/fc09866c98468f3d832289d6608ee611a2c3c387
Comment 1 Kurt Seifried 2013-12-23 07:01:00 UTC 
Acknowledgment:

Red Hat would like to thank the Debian Project for reporting this issue. The Debian Project acknowledges Florian Sagar as the original reporter.
Comment 2 Kurt Seifried 2013-12-23 07:02:25 UTC 
Statement:

This issue did not affect the versions of libvirt (which includes lxc) as shipped with Red Hat Enterprise Linux 6 as they do not include the template file lxc-sshd.in.
Comment 3 Salvatore Bonaccorso 2013-12-26 10:02:38 UTC 
Hi Kurt

As per feedback from upstream this CVE assigned is disputed. The change to make the mount entry bind,ro was done as good safety net to have. But having root access to a container allows to get root to the host (see e.g http://blog.bofh.it/debian/id_413), if not using unprivileged containers or selinux/apparmor to restrict the containers.
Comment 4 Vincent Danen 2014-01-07 17:56:16 UTC 
To followup, a further patch was posted:

https://github.com/lxc/lxc/commit/f4d5cc8e1f39d132b61e110674528cac727ae0e2

which is a similar hardening feature (or safety net).

As upstream indicated, it's a known and acknowledged limitation of LXC (when not used with userns or apparmor/selinux) that root in a container is the effective equivalent of root on the host (so an individual with root in an LXC container can can change the host's lxc-sshd regardless of this issue).