Bug 1737333

Summary: atomic-openshift: openshift-node allows pods to escalate privileges via setuid bit
Product: [Other] Security Response Reporter: Jason Shepherd <jshepherd>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, amurdaca, bbaude, bleanhar, bmontgom, ccoleman, dedgar, dwalsh, eparis, jburrell, jgoulding, jligon, jnovy, jokerman, lsm5, mchappel, mheon, nstielau, security-response-team, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A privilege escalate flaw exists in the openshift-node component of the OpenShift Container Platform. An attacker could use this flaw to trick a user into running a malicious container and can read or delete files in the container owned by root.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-06 00:59:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1737647, 1737648, 1737650    
Bug Blocks: 1735501    

Description Jason Shepherd 2019-08-05 06:49:22 UTC 
A privilege escalate flaw exists in the openshift-node component of OpenShift Container Platform. An attacker able to trick a user into running a malicious container can read, or delete files in the container owned by root.
Comment 9 Jason Shepherd 2019-08-06 00:55:17 UTC 
After discussing it with the engineering team and within prodsec we decided that this shouldn't be a vulnerability. setuid is needed for some features including 'ping' from within a pod. Also there is already an SCC option to disable it in OpenShift and Kubernetes:

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Comment 10 Jason Shepherd 2019-08-06 00:59:50 UTC 
Statement:

On Red Hat Enterprise Linux 7 or 8, when running a container with podman, or docker it's possible to add the security-opt 'no-new-privileges' to prevent this vulnerability. 

On OpenShift Container Platform 3.11, 4.1 and 4.1 it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working, such as 'ping'. https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
Comment 11 Daniel Walsh 2019-08-06 11:52:22 UTC 
We can setup ping to work without requiring any additional privs by modifying crio to automatically allow non priv user to create icmp packets.

https://github.com/cri-o/cri-o/pull/2378