Bug 1737333
Summary: | atomic-openshift: openshift-node allows pods to escalate privileges via setuid bit | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jason Shepherd <jshepherd> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | ahardin, amurdaca, bbaude, bleanhar, bmontgom, ccoleman, dedgar, dwalsh, eparis, jburrell, jgoulding, jligon, jnovy, jokerman, lsm5, mchappel, mheon, nstielau, security-response-team, sponnaga |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A privilege escalate flaw exists in the openshift-node component of the OpenShift Container Platform. An attacker could use this flaw to trick a user into running a malicious container and can read or delete files in the container owned by root.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-08-06 00:59:45 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1737647, 1737648, 1737650 | ||
Bug Blocks: | 1735501 |
Description
Jason Shepherd
2019-08-05 06:49:22 UTC
After discussing it with the engineering team and within prodsec we decided that this shouldn't be a vulnerability. setuid is needed for some features including 'ping' from within a pod. Also there is already an SCC option to disable it in OpenShift and Kubernetes: https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation Statement: On Red Hat Enterprise Linux 7 or 8, when running a container with podman, or docker it's possible to add the security-opt 'no-new-privileges' to prevent this vulnerability. On OpenShift Container Platform 3.11, 4.1 and 4.1 it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working, such as 'ping'. https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html We can setup ping to work without requiring any additional privs by modifying crio to automatically allow non priv user to create icmp packets. https://github.com/cri-o/cri-o/pull/2378 |