Bug 1829674 (CVE-2020-10728)

Summary: CVE-2020-10728 automationbroker/apb: permissive sudoers file
Product: [Other] Security Response Reporter: Mark Cooper <mcooper>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: ASSIGNED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmontgom, eparis, jburrell, nstielau, sponnaga
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in automationbroker/apb container in versions up to and including 2.0.4-1. This container grants all users sudoer permissions allowing an unauthorized user with access to the running container the ability to escalate their own privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1829688, 1829689, 1829690    
Bug Blocks: 1807720    

Description Mark Cooper 2020-04-30 03:59:50 UTC 
It has been found that the container automationbroker/apb (in all versions up to 2.0.4-1) grants all users sudoer permissions. An attacker with access to the running container can exploit this to escalate their own privileges.
Comment 5 Jesus M. Rodriguez 2020-04-30 21:12:26 UTC 
The apb dockerfile runs sudo for adding users and groups to the image.

https://github.com/automationbroker/apb/blob/master/apb-wrapper#L30-L39

We'll need to fix the above script so we don't have to do that.

Then remove the sudoers line from the Dockerfile

https://github.com/automationbroker/apb/blob/master/Dockerfile#L10

The affected repo is: https://github.com/automationbroker/apb/

3.11 uses apb-1.9.8: https://github.com/automationbroker/apb/tree/release-1.9
4.x uses apb-2.0.x: https://github.com/automationbroker/apb
Comment 8 Mark Cooper 2020-05-01 03:44:00 UTC 
Acknowledgments:

Name: Mark Cooper (Red Hat)
Comment 9 Mark Cooper 2020-05-01 03:54:40 UTC 
Statement:

By default this vulnerability is not exploitable in un-privileged containers running on OpenShift Container Platform. This is because the system call SETUID and SETGID is blocked by the default seccomp policy.

In OpenShift 4.4 the container openshift-enterprise-abp-tools has been removed and hence is not affected by this flaw.