Bug 1737333 - atomic-openshift: openshift-node allows pods to escalate privileges via setuid bit
Summary: atomic-openshift: openshift-node allows pods to escalate privileges via setui...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1737647 1737648 1737650
Blocks: 1735501
TreeView+ depends on / blocked
 
Reported: 2019-08-05 06:49 UTC by Jason Shepherd
Modified: 2021-02-16 21:33 UTC (History)
20 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2019-08-06 00:59:45 UTC
Embargoed:


Attachments (Terms of Use)

Description Jason Shepherd 2019-08-05 06:49:22 UTC
A privilege escalate flaw exists in the openshift-node component of OpenShift Container Platform. An attacker able to trick a user into running a malicious container can read, or delete files in the container owned by root.

Comment 9 Jason Shepherd 2019-08-06 00:55:17 UTC
After discussing it with the engineering team and within prodsec we decided that this shouldn't be a vulnerability. setuid is needed for some features including 'ping' from within a pod. Also there is already an SCC option to disable it in OpenShift and Kubernetes:

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation

Comment 10 Jason Shepherd 2019-08-06 00:59:50 UTC
Statement:

On Red Hat Enterprise Linux 7 or 8, when running a container with podman, or docker it's possible to add the security-opt 'no-new-privileges' to prevent this vulnerability. 

On OpenShift Container Platform 3.11, 4.1 and 4.1 it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working, such as 'ping'. https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html

Comment 11 Daniel Walsh 2019-08-06 11:52:22 UTC
We can setup ping to work without requiring any additional privs by modifying crio to automatically allow non priv user to create icmp packets.

https://github.com/cri-o/cri-o/pull/2378


Note You need to log in before you can comment on or make changes to this bug.