Bug 1714722 (CVE-2018-15664)
Summary: | CVE-2018-15664 docker: symlink-exchange race attacks in docker cp | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adeshpan, adimania, admiller, ahardin, aileenc, amurdaca, apmukher, bleanhar, ccoleman, chazlett, dbecker, dedgar, dominik.mierzejewski, dornelas, dwalsh, eparis, fhirtz, frantisek.kluknavsky, hgomes, ichavero, janstey, jcajka, jcoscia, jgoulding, jjoyce, jochrist, jokerman, jschluet, jwang, kbasil, knewcome, lhh, lpeer, lsm5, mburns, mchappel, nalin, pasik, qguo, rgregory, rrajaram, rschiron, santiago, sardella, sclewis, security-response-team, sfowler, slinaber, sreber, szobair, vbatts, zhigwang |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was discovered in the API endpoint behind the 'docker cp' command. The endpoint is vulnerable to a Time Of Check to Time Of Use (TOCTOU) vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-07-29 19:18:43 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1714723, 1714724, 1717087, 1717219, 1717220 | ||
Bug Blocks: | 1714728 |
Description
Laura Pardo
2019-05-28 17:25:53 UTC
Created docker tracking bugs for this issue: Affects: fedora-all [bug 1714724] Updating CVSS to more accurately reflect a better understanding of the attack complexity. Dropping severity to moderate accordingly. Is an Openshift Cluster with the anyuid SCC enabled is susceptible to CVE-2018-15664? A similar flaw was also found in podman. It has been assigned CVE-2019-10152: https://bugzilla.redhat.com/show_bug.cgi?id=1715667 Upstream PR https://github.com/moby/moby/pull/39252 has been closed in favour of https://github.com/moby/moby/pull/39292 Attack Complexity(AC) set to High(H) because the attacker cannot exploit the flaw at will, but it may require the victim user to run `docker cp` several times before the race condition is won. Setting Privileges Required(PR) to Low(L) because an attacker needs to be able to run commands on a container and thus have some privileges there to perform the attack. Moreover, User Interaction(I) set to Required(R) because the attacker needs to wait for the user to perform a `docker cp` (probably even more than one time) to perform his attack. External References: https://www.openwall.com/lists/oss-security/2019/05/28/1 My testing with the POC shared on the oss-security posting also reveals a ~1% success rate on hitting the race condition on run_read.sh Upstream PR https://github.com/moby/moby/pull/39292 was merged into master branch and it seems to be the right fix for this CVE. Mitigation: Stopping a container prior to running "docker cp" removes the TOCTOU vulnerability. Function GetResourcePath() uses FollowSymlinkInScope(), which is used to evaluate a path within a given scope and it returns a path guaranteed to be contained in the scope at the time of the call. However, if components of the path change after the call to these functions, the guarantee does not hold anymore. Functions that use functions like ResolvePath(), GetResourcePath(), FollowSymlinkInScope() and others similar to those, may be vulnerable to a Time of Check to Time Of Use(TOCTOU) vulnerability, where the resolved path may be correctly scoped inside the container at the time of the check, but it escapes into the host filesystem at the time of use. In particular, containerArchivePath() and containerExtractToDir() are used when copying files respectively from and to a container and they are vulnerable to this flaw. An attacker who has compromised a running container could run a program to try to exploit this flaw while another privileged user is running `docker cp` to copy files from/to the container. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Extras Via RHSA-2019:1910 https://access.redhat.com/errata/RHSA-2019:1910 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-15664 Statement: All versions of docker prior to the fix are vulnerable to this flaw. For clarity, in the "Affected Packages State" table, we only include OpenShift Container Platform (OCP) versions 3.7 and below because for these versions docker was shipped as part of the release. For all subsequent versions of OCP until 3.11, docker is installed from the RHEL Extras repository meaning clusters will be vulnerable to the flaw unless an updated docker package has been applied. Red Hat Fuse provides only the Docker client library and is not affected by this vulnerability. |