Bug 1919391 (CVE-2021-20206)

Summary: CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acui, adam.kaplan, agarcial, alcohan, amurdaca, anbhat, aos-bugs, bbaude, bbennett, bdettelb, bmontgom, cnv-qe-bugs, container-sig, debarshir, dfreiber, doconnor, dosmith, dramseur, drow, dwalsh, eclipseo, eparis, fdeutsch, gghezzo, go-sig, gparvin, hvyas, jbrooks, jburrell, jhrozek, jhunter, jligon, jnovy, jokerman, josorior, jramanat, jweiser, jwendell, kconner, kmitts, lbainbri, lsm5, mcooper, mfojtik, mgala, mheon, mjudeiki, mrajanna, mrogers, muagarwa, nalin, njean, nstielau, owatkins, pahickey, pdhamdhe, pehunt, phoracek, pthomas, rcernich, rhaigner, rh.container.bot, rogbas, rphillips, santiago, security-response-team, sponnaga, stcannon, sttts, teagle, team-winc, thee, tnielsen, tomckay, tsweeney, twalsh, umohnani, vkumar, xxia, ypadia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: containernetworking/cni 0.8.1 Doc Type: If docs needed, set a value
Doc Text:
An improper limitation of path name flaw was found in containernetworking/cni. When specifying the plugin to load in the `type` field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as `reboot`. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-10 15:05:45 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1934004, 1934005, 1934006, 1924511, 1924514, 1924516, 1924518, 1924520, 1924522, 1924550, 1924551, 1924552, 1924553, 1924554, 1924555, 1924556, 1924557, 1924558, 1924559, 1924824, 1924825, 1924835, 1924837, 1925068, 1925069, 1925076, 1925077, 1925080, 1925108, 1925109, 1925110, 1925111, 1925112, 1925398, 1925399, 1926021, 1926022, 1926355, 1926492, 1926496, 1926497, 1926498, 1926499, 1926500, 1926502, 1926503, 1926504, 1926796, 1926801, 1930216, 1930217, 1930218, 1930219, 1931984, 1931985, 1931986, 1931987, 1931988, 1931989, 1931990, 1931991, 1931992, 1931993, 1931994, 1931995, 1935801, 1935802, 1935803, 1942675    
Bug Blocks: 1919392, 1926161    

Description Pedro Sampaio 2021-01-22 18:36:12 UTC 
A flaw was found in libcni. A user may  be able to change the "type:" field in a CNI configuration to an arbitrary path and could execute arbitrary binaries on a host.

Upstream patch:

https://github.com/containernetworking/cni/pull/808
Comment 1 Mark Cooper 2021-01-29 07:50:21 UTC 
Upstream fix: https://github.com/containernetworking/cni/pull/808
Comment 6 Mark Cooper 2021-02-03 07:47:44 UTC 
Generally for this vulnerability adding and removing network definitions will be a privileged operation. However as this is a library it's difficult to determine all uses and as such considering the worst case and as this is unexpected behaviour it's considered a security issue.

The greatest risk will be to applications which load network definitions - however as it is a go mod library, go binaries which depend on containernetworking/cni may also be affected by this and affects for OpenShift containers have been added as such.
Comment 7 Lokesh Mandvekar 2021-02-03 13:16:53 UTC 
containernetworking-plugins package should be looked at. It uses github.com/containernetworking/plugins which vendors in containernetworking/cni. https://github.com/containernetworking/plugins/blob/master/go.mod#L10
Comment 8 Lokesh Mandvekar 2021-02-03 13:18:12 UTC 
(In reply to Lokesh Mandvekar from comment #7)
> containernetworking-plugins package should be looked at. It uses
> github.com/containernetworking/plugins which vendors in
> containernetworking/cni.
> https://github.com/containernetworking/plugins/blob/master/go.mod#L10

This package is present in both RHEL and Fedora.
Comment 9 Mark Cooper 2021-02-03 13:47:28 UTC 
Our scans for the containers should account for that - but i'll double check to make sure. 

We're just confirming the RPM affects now, but good point about the rpm tho, will do, thanks @lsm5!
Comment 15 Mark Cooper 2021-02-05 06:02:58 UTC 
Created containernetworking-plugins tracking bugs for this issue:

Affects: fedora-all [bug 1925399]


Created golang-github-containernetworking-cni tracking bugs for this issue:

Affects: fedora-all [bug 1925398]
Comment 17 Mark Cooper 2021-02-06 15:44:35 UTC 
Acknowledgments:

Name: Casey Callendrello (Red Hat)
Comment 25 Mark Cooper 2021-02-09 13:30:12 UTC 
Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 1926796]
Comment 26 Mark Cooper 2021-02-09 13:42:19 UTC 
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1926801]
Comment 28 RaTasha Tillery-Smith 2021-02-16 19:40:04 UTC 
Statement:

OpenShift ServiceMesh (OSSM) does package a vulnerable version of containernetworking/cni, however, the NetworkDefinitionAttachment is defined in code and cannot be easily changed except through a user who has access to the operator namespace such as cluster-admin. As such, for OSSM, the impact is Low.
Comment 35 errata-xmlrpc 2021-03-10 11:16:09 UTC 
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799
Comment 36 Product Security DevOps Team 2021-03-10 15:05:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20206
Comment 37 errata-xmlrpc 2021-04-05 13:39:58 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1007 https://access.redhat.com/errata/RHSA-2021:1007
Comment 38 errata-xmlrpc 2021-04-05 13:55:05 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1005 https://access.redhat.com/errata/RHSA-2021:1005
Comment 41 errata-xmlrpc 2021-05-19 15:12:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1552 https://access.redhat.com/errata/RHSA-2021:1552
Comment 42 errata-xmlrpc 2021-07-27 22:31:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 43 errata-xmlrpc 2021-08-03 20:29:12 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:3001 https://access.redhat.com/errata/RHSA-2021:3001
Comment 45 errata-xmlrpc 2022-02-16 11:19:37 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:0492 https://access.redhat.com/errata/RHSA-2022:0492
Comment 46 errata-xmlrpc 2022-05-02 05:52:01 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2022:1660 https://access.redhat.com/errata/RHSA-2022:1660