Bug 1954736 (CVE-2021-30465)

Summary: CVE-2021-30465 runc: vulnerable to symlink exchange attack
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: ajia, amurdaca, aos-bugs, bbaude, bmontgom, cperry, dwalsh, eparis, fcanogab, gghezzo, gparvin, gscrivan, jburrell, jchaloup, jnovy, jokerman, jramanat, jshepherd, jwboyer, jweiser, jwest, kir, kolyshkin, lsm5, mbenatto, mfojtik, mpatel, nstielau, o.lemasle, pbrookes, pehunt, petr, rh.container.bot, rphillips, santiago, security-response-team, sfowler, sponnaga, stcannon, sttts, thee, TicoTimo, tsweeney, xxia
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: runc 1.0.0-rc95 Doc Type: If docs needed, set a value
Doc Text:
The runc package is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly innocuous container configuration that results in the host filesystem being bind-mounted into the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as to system availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-24 17:32:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1956188, 1956189, 1959881, 1959882, 1954940, 1955286, 1955287, 1955288, 1955636, 1955637, 1955638, 1955639, 1955640, 1955641, 1955642, 1955643, 1955644, 1955645, 1955646, 1955647, 1955648, 1955649, 1955650, 1955651, 1955652, 1955653, 1955654, 1955655, 1955656, 1959370, 1959474, 1959475, 1962096    
Bug Blocks: 1954737    
Attachments:
Description Flags
Full patch set from Aleksa - patches work for rc93.
none
Backport to projectatomic/runc docker-1.13.1-rhel branch (fixed)
none
Backport to upstream runc-1.0.0-rc5
none
Backport to upstream runc-1.0.0-rc92
none
Backport to rhel8.5 (runc v1.0.0-rc5-133-g2abd837c)
none
Backport to projectatomic/runc docker-1.13.1-rhel branch (fixed-fixed) none

Description Guilherme de Almeida Suckevicz 2021-04-28 17:36:55 UTC
runc 1.0.0-rc93 and earlier are vulnerable to a symlink exchange attack whereby an attacker can request a seemingly-innocuous container configuration that actually results in the host filesystem being bind-mounted into the container (allowing for a container escape).

Reference:
https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r

Comment 8 Jason Shepherd 2021-04-29 06:55:11 UTC
Acknowledgments:

Name: Etienne Champetier

Comment 21 Jason Shepherd 2021-05-11 05:59:38 UTC
Statement:

OpenShift Container Platform OCP 3.11 be default uses Docker from RHEL-7 extras repository. If using OCP 3.11 upgrade docker on all nodes to a fixed version from the RHEL-7 extras channel. CRI-O could be used instead of Docker on OCP 3.11 and in that case upgrade the runc version from the OCP rpm repository when it becomes available.

Comment 24 Jindrich Novy 2021-05-11 12:39:55 UTC
Created attachment 1782007 [details]
Full patch set from Aleksa - patches work for rc93.

Comment 26 Jason Shepherd 2021-05-11 23:47:58 UTC
Mitigation:

On OpenShift Container Platform keep SELinux in enforcing mode on the worker nodes to reduce the impact of this vulnerability.

Comment 34 Jindrich Novy 2021-05-18 05:53:39 UTC
Hi Kir,

seems the attached "Backport to upstream runc-1.0.0-rc10/rc90" doesn't apply against extras-rhel-7.9's runc-1.0.0-68.rc10:
+ /usr/bin/cat /tmp/rh/runc/extras-rhel-7.9/0001-rootfs-add-mount-destination-validation.patch
+ /usr/bin/patch -p1 -s --fuzz=0 --no-backup-if-mismatch
6 out of 9 hunks FAILED -- saving rejects to file libcontainer/rootfs_linux.go.rej
1 out of 2 hunks FAILED -- saving rejects to file libcontainer/utils/utils.go.rej

Can you please fix the patch for runc-1.0.0-68.rc10?

Thanks!

Comment 39 Kir Kolyshkin 2021-05-18 23:28:31 UTC
Created attachment 1784640 [details]
Backport to projectatomic/runc docker-1.13.1-rhel branch (fixed)

v2: fixed to import Sirupsen/logrus rather than sirupsen/logrus

Comment 40 Kir Kolyshkin 2021-05-18 23:29:18 UTC
> cannot find package "github.com/sirupsen/logrus" in any of: [...]

My bad. Patch updated.

Comment 43 Przemyslaw Roguski 2021-05-19 10:08:59 UTC
Created runc tracking bugs for this issue:

Affects: fedora-all [bug 1962096]

Comment 45 Kir Kolyshkin 2021-05-20 07:13:57 UTC
> it seems backports are still needed for rc5 and mainly for rc92 where patches for rc10/rc93 doesn't apply. Do you mind having a look Kir?

still working on it...

Comment 46 Przemyslaw Roguski 2021-05-20 10:57:11 UTC
For Red Hat OpenStack Platform, RHEL's packaged runc is used for containerized services via docker and podman. 
Note: OpenStack doesn't directly package runc.
However, the impact of this flaw is reduced for OpenStack because:
* SELinux policies are preconfigured and SELinux is enabled by default.
* Containers that run in an OpenStack environment are trusted services. Introducing a malicious access point would take significant effort and be easy to remediate once discovered.

Comment 47 Kir Kolyshkin 2021-05-20 21:39:04 UTC
Created attachment 1785360 [details]
Backport to upstream runc-1.0.0-rc5

This is a manual backport to runc v1.0.0-rc5. Did not do any testing other than making sure it compiles.

Comment 48 Kir Kolyshkin 2021-05-20 23:10:48 UTC
Created attachment 1785365 [details]
Backport to upstream runc-1.0.0-rc92

Manual backport to rc92. Only testing done is to make sure it compiles.

Comment 49 errata-xmlrpc 2021-05-24 16:58:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1562 https://access.redhat.com/errata/RHSA-2021:1562

Comment 50 Product Security DevOps Team 2021-05-24 17:32:01 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-30465

Comment 51 Jindrich Novy 2021-05-24 18:36:21 UTC
Hi Kir,

the rc92 patch applies cleanly - packages are now built with that patch. Thanks!

There is an issue with rc5 patch:

+ /usr/bin/cat /tmp/rh/runc/stream-container-tools-1.0-rhel-8.5.0/0001-rc5-rootfs-add-mount-destination-validation.patch
+ /usr/bin/git apply --index --reject -
Checking patch libcontainer/rootfs_linux.go...
Hunk #4 succeeded at 183 (offset 20 lines).
error: while searching for:
		}
		return nil
	case "tmpfs":
		copyUp := m.Extensions&configs.EXT_COPYUP == configs.EXT_COPYUP
		tmpDir := ""
		stat, err := os.Stat(dest)
		if err != nil {
			if err := os.MkdirAll(dest, 0755); err != nil {
				return err
			}
		}
		if copyUp {
			tmpDir, err = ioutil.TempDir("/tmp", "runctmpdir")
			if err != nil {
				return newSystemErrorWithCause(err, "tmpcopyup: failed to create tmpdir")
			}
			defer os.RemoveAll(tmpDir)
			m.Destination = tmpDir
		}
		if err := mountPropagate(m, rootfs, mountLabel); err != nil {
			return err
		}
		if copyUp {
			if err := fileutils.CopyDirectory(dest, tmpDir); err != nil {
				errMsg := fmt.Errorf("tmpcopyup: failed to copy %s to %s: %v", dest, tmpDir, err)
				if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
					return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
				}
				return errMsg
			}
			if err := unix.Mount(tmpDir, dest, "", unix.MS_MOVE, ""); err != nil {
				errMsg := fmt.Errorf("tmpcopyup: failed to move mount %s to %s: %v", tmpDir, dest, err)
				if err1 := unix.Unmount(tmpDir, unix.MNT_DETACH); err1 != nil {
					return newSystemErrorWithCausef(err1, "tmpcopyup: %v: failed to unmount", errMsg)
				}
				return errMsg
			}
		}
		if stat != nil {
			if err = os.Chmod(dest, stat.Mode()); err != nil {
				return err

error: patch failed: libcontainer/rootfs_linux.go:190
Hunk #6 succeeded at 302 (offset 46 lines).
Hunk #7 succeeded at 380 (offset 46 lines).
Hunk #8 succeeded at 533 (offset 47 lines).
Hunk #9 succeeded at 541 (offset 47 lines).
Hunk #10 succeeded at 882 (offset 82 lines).
Checking patch libcontainer/utils/utils.go...
error: while searching for:
	"crypto/rand"
	"encoding/hex"
	"encoding/json"
	"io"
	"os"
	"path/filepath"
	"strings"
	"unsafe"

	"golang.org/x/sys/unix"
)


error: patch failed: libcontainer/utils/utils.go:4
Hunk #2 succeeded at 73 (offset -18 lines).
Checking patch libcontainer/utils/utils_test.go...
error: while searching for:
		t.Errorf("expected to receive '/var' and received %s", path)
	}
}

error: patch failed: libcontainer/utils/utils_test.go:152
Applying patch libcontainer/rootfs_linux.go with 1 reject...
Hunk #1 applied cleanly.
Hunk #2 applied cleanly.
Hunk #3 applied cleanly.
Hunk #4 applied cleanly.
Rejected hunk #5.
Hunk #6 applied cleanly.
Hunk #7 applied cleanly.
Hunk #8 applied cleanly.
Hunk #9 applied cleanly.
Hunk #10 applied cleanly.
Applying patch libcontainer/utils/utils.go with 1 reject...
Rejected hunk #1.
Hunk #2 applied cleanly.
Applying patch libcontainer/utils/utils_test.go with 1 reject...
Rejected hunk #1.

Can you please have a look?

runc in 1.0 stream is based on runc-2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7 and there are currently these patches applied on top of it: http://pkgs.devel.redhat.com/cgit/rpms/runc/tree/?h=stream-container-tools-1.0-rhel-8.5.0

Thanks,
Jindrich

Comment 52 Kir Kolyshkin 2021-05-24 21:27:20 UTC
Created attachment 1786656 [details]
Backport to rhel8.5 (runc v1.0.0-rc5-133-g2abd837c)

The rc5 patch was not applicable to rhel8.5 codebase because it's closer to rc6 in fact:

[kir@kir-rhat runc]$ git describe --tags --contains 2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7
v1.0.0-rc6~27
[kir@kir-rhat runc]$ git describe --tags 2abd837c8c25b0102ac4ce14f17bc0bc7ddffba7
v1.0.0-rc5-133-g2abd837c

The commit 62a4763a7ab490340eab59a72498c6f4a197bed8 (aka v1.0.0-rc5-133-g2abd837c) made changes to tmpfs copyup, this is why the rc5 was not applicable.

Attached is the patch against rhel8.5 codebase as found at http://pkgs.devel.redhat.com/cgit/rpms/runc/tree/?h=stream-container-tools-1.0-rhel-8.5.0 (with all 5 patches from spec pre-applied).

Comment 53 Jindrich Novy 2021-05-25 05:34:30 UTC
Thanks Kir. The patch applies cleanly and is now committed into container-tools-1.0.

Comment 54 errata-xmlrpc 2021-05-26 05:59:59 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:1566 https://access.redhat.com/errata/RHSA-2021:1566

Comment 55 errata-xmlrpc 2021-05-26 06:01:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.5

Via RHSA-2021:2057 https://access.redhat.com/errata/RHSA-2021:2057

Comment 56 errata-xmlrpc 2021-05-31 07:49:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2021:2144 https://access.redhat.com/errata/RHSA-2021:2144

Comment 57 errata-xmlrpc 2021-05-31 07:55:05 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2021:2145 https://access.redhat.com/errata/RHSA-2021:2145

Comment 58 Kir Kolyshkin 2021-06-07 20:44:25 UTC
Created attachment 1789284 [details]
Backport to projectatomic/runc docker-1.13.1-rhel branch (fixed-fixed)

Comment 59 errata-xmlrpc 2021-06-08 12:06:37 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:2292 https://access.redhat.com/errata/RHSA-2021:2292

Comment 60 errata-xmlrpc 2021-06-08 12:16:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2291 https://access.redhat.com/errata/RHSA-2021:2291

Comment 61 errata-xmlrpc 2021-06-09 17:06:28 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.11

Via RHSA-2021:2150 https://access.redhat.com/errata/RHSA-2021:2150

Comment 62 errata-xmlrpc 2021-06-10 08:33:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2371 https://access.redhat.com/errata/RHSA-2021:2371

Comment 63 errata-xmlrpc 2021-06-10 08:49:11 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:2370 https://access.redhat.com/errata/RHSA-2021:2370

Comment 64 Marco Benatto 2021-06-15 12:58:35 UTC
Container-tools:1.0 for rhel8 is out of support scope already and won't receive these fixes.