Bug 2174485 (CVE-2023-25173)

Summary: CVE-2023-25173 containerd: Supplementary groups are not set up properly
Product: [Other] Security Response Reporter: Anten Skrabec <askrabec>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aazores, abenaiss, adudiak, amackenz, amasferr, amctagga, aveerama, bbaude, bcoca, bdettelb, chazlett, cwelton, davidn, dfreiber, dkenigsb, dperaza, dshah, dsimansk, dwalsh, dymurray, ebaron, eglynn, ellin, epacific, fdeutsch, gparvin, ibolton, jburrell, jcammara, jcantril, jchui, jhardy, jjoyce, jkang, jkoehler, jligon, jmatthew, jmontleo, jneedle, jnovy, jobarker, joelsmith, jpallich, jwendell, kshier, lball, lgamliel, lhh, lsm5, mabashia, matzew, mboddu, mburns, mfilanov, mgarciac, mheon, mkudlej, muagarwa, mwringe, nalin, nbecker, nboldt, njean, oramraz, osapryki, ovanders, owatkins, pahickey, pehunt, periklis, phoracek, pjindal, pthomas, rcernich, rfreiman, rgarg, rhos-maint, rhuss, rjohnson, rogbas, scorneli, sfroberg, shbose, simaishi, skontopo, slucidi, smcdonal, smullick, spower, sseago, stcannon, teagle, tfister, tjochec, tnielsen, trathi, tsweeney, ubhargav, umohnani, vkumar, whayutin, yguenane, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: containerd 1.5.18, containerd 1.6.18 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in containerd, where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases. This issue can allow access to sensitive information or gain the ability to execute code in that container.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2174486, 2174512, 2174513, 2174514, 2174529, 2174530, 2174534, 2174538, 2174542, 2174543, 2174544, 2174545, 2174546, 2174547, 2174549, 2174552, 2174562, 2175070, 2175071, 2175073, 2175074, 2174511, 2174515, 2174517, 2174518, 2174519, 2174520, 2174521, 2174522, 2174523, 2174524, 2174525, 2174526, 2174527, 2174528, 2174531, 2174532, 2174533, 2174535, 2174536, 2174537, 2174539, 2174540, 2174541, 2174548, 2174550, 2174551, 2174553, 2174554, 2174555, 2174556, 2174557, 2174558, 2174559, 2174560, 2174561, 2175064, 2175065, 2175066, 2175067, 2175068, 2175069, 2175072, 2175075, 2175692, 2175693    
Bug Blocks: 2170820    

Description Anten Skrabec 2023-03-01 18:39:19 UTC 
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.
Comment 1 Anten Skrabec 2023-03-01 18:39:32 UTC 
Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2174486]
Comment 2 Anten Skrabec 2023-03-01 20:15:56 UTC 
Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2174511]
Affects: fedora-all [bug 2174518]


Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2174519]


Created conmon tracking bugs for this issue:

Affects: fedora-all [bug 2174520]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2174521]


Created cri-o:1.20/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2174522]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-8 [bug 2174515]
Affects: fedora-36 [bug 2174523]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2174524]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2174525]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2174526]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2174527]


Created doctl tracking bugs for this issue:

Affects: fedora-37 [bug 2174541]


Created golang-github-containerd-fuse-overlayfs-snapshotter tracking bugs for this issue:

Affects: fedora-36 [bug 2174528]


Created golang-github-deislabs-oras tracking bugs for this issue:

Affects: fedora-all [bug 2174529]


Created golang-github-docker-slim tracking bugs for this issue:

Affects: fedora-37 [bug 2174542]
Affects: fedora-all [bug 2174530]


Created golang-github-google-containerregistry tracking bugs for this issue:

Affects: fedora-36 [bug 2174531]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-36 [bug 2174532]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2174512]
Affects: fedora-36 [bug 2174533]


Created golang-gvisor tracking bugs for this issue:

Affects: fedora-all [bug 2174534]


Created golang-helm-3 tracking bugs for this issue:

Affects: fedora-all [bug 2174543]


Created manifest-tool tracking bugs for this issue:

Affects: fedora-36 [bug 2174535]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2174544]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2174545]


Created pack tracking bugs for this issue:

Affects: epel-8 [bug 2174517]
Affects: fedora-36 [bug 2174536]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2174537]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2174538]


Created reg tracking bugs for this issue:

Affects: epel-all [bug 2174513]
Affects: fedora-36 [bug 2174539]


Created singularity-ce tracking bugs for this issue:

Affects: epel-all [bug 2174514]


Created stargz-snapshotter tracking bugs for this issue:

Affects: fedora-all [bug 2174540]
Comment 10 Lokesh Mandvekar 2023-03-02 10:42:00 UTC 
Hi Anten / prodsec, for future cve bzs, could you please also include a link to the vulnerable code + patch that fixes it? Sure, one could google around, but it'd be really convenient to have it in the Bug description itself. I say this because I've noticed many of the golang packages often don't end up using the actual vulnerable code, so they may not need any updates.
Comment 13 TEJ RATHI 2023-03-03 06:40:53 UTC 
References:
https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a
https://github.com/containerd/containerd/releases/tag/v1.5.18
https://github.com/containerd/containerd/releases/tag/v1.6.18
https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
Comment 25 errata-xmlrpc 2023-05-04 01:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:2107 https://access.redhat.com/errata/RHSA-2023:2107
Comment 26 errata-xmlrpc 2023-05-10 00:28:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1372 https://access.redhat.com/errata/RHSA-2023:1372
Comment 27 errata-xmlrpc 2023-05-10 16:44:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Security Profiles Operator stable on RHEL-8
  Red Hat OpenShift Security Profiles Operator stable on RHEL-9

Via RHSA-2023:2029 https://access.redhat.com/errata/RHSA-2023:2029
Comment 30 errata-xmlrpc 2023-05-17 22:31:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 32 errata-xmlrpc 2023-06-05 16:44:15 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 33 errata-xmlrpc 2023-06-05 23:42:44 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 34 errata-xmlrpc 2023-06-13 13:10:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3537 https://access.redhat.com/errata/RHSA-2023:3537
Comment 38 errata-xmlrpc 2023-07-18 00:18:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:4025 https://access.redhat.com/errata/RHSA-2023:4025
Comment 39 errata-xmlrpc 2023-07-27 01:10:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4226 https://access.redhat.com/errata/RHSA-2023:4226
Comment 41 errata-xmlrpc 2023-08-07 00:27:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:4488 https://access.redhat.com/errata/RHSA-2023:4488