Bug 2141733

Summary: Rook Ceph crashcollector: Container breakout
Product: [Other] Security Response Reporter: Sage McTaggart <amctagga>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, aoconnor, bniver, flucifre, gmeno, mbenjamin, mhackett, sostapov, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Ceph-Rook. An attacker with root capabilities can escape the cgroup isolation and gain access to unauthorized information. This issue impacts confidentiality, integrity, and availability.
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-08 18:55:24 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2141734, 2141735    
Bug Blocks: 2141732    

Description Sage McTaggart 2022-11-10 16:17:25 UTC
"Container breakout is used to indicate a situation in which a program
running inside a Docker container can overcome isolation mechanisms and
gain additional capabilities or access to confidential information on the
host.
It was observed that the container was running with root user and
CAP_SYS_ADMIN capability.
cgroups (abbreviated from control groups) is a Linux kernel feature that
limits, accounts for, and isolates the resource usage (CPU, memory, disk
I/O, network, etc.) of a collection of processes. Essentially, cgroups are
one way that Docker isolates containers.

They abused the misconfigurations as mentioned above and utilized the
notify_on_release feature in cgroups to escape from the
container. Reference:
https://phoenixnap.com/kb/docker-security-best-practices"

Comment 1 Sage McTaggart 2022-11-10 16:18:12 UTC
Fix Recommendation
To help keep containers secure:
Do not use privileged flag, it disables all the security mechanisms placed by docker.
Do not run containers as the root user.
Use SecComp and AppArmor profiles to harden the container.
Do not mount root volumes into the container

Comment 3 Sage McTaggart 2022-12-08 18:53:52 UTC
This is actually a report of CVE-2022-0492[1][2] as applied to Ceph on Openshift using RHEL as a base platform. As a result of the flaw in RHEL (as used as the base image), a customer's pentest showed this to be affected. However, there is no evidence this is an independent flaw, and thus, there is no additional impact to Confidentiality, Integrity, or Availability, and no security boundaries being crossed. In addition, this requires running as root and CAP_SYS_ADMIN capability, which is not an approved configuration. 

[1] https://unit42.paloaltonetworks.com/cve-2022-0492-cgroups/
[2] https://access.redhat.com/security/cve/cve-2022-0492