Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1737333 - atomic-openshift: openshift-node allows pods to escalate privileges via setuid bit
Summary: atomic-openshift: openshift-node allows pods to escalate privileges via setui...
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1737647 1737648 1737650
Blocks: 1735501
TreeView+ depends on / blocked
 
Reported: 2019-08-05 06:49 UTC by Jason Shepherd
Modified: 2021-02-16 21:33 UTC (History)
20 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A privilege escalate flaw exists in the openshift-node component of the OpenShift Container Platform. An attacker could use this flaw to trick a user into running a malicious container and can read or delete files in the container owned by root.
Clone Of:
Environment:
Last Closed: 2019-08-06 00:59:45 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Jason Shepherd 2019-08-05 06:49:22 UTC 
A privilege escalate flaw exists in the openshift-node component of OpenShift Container Platform. An attacker able to trick a user into running a malicious container can read, or delete files in the container owned by root.
Comment 9 Jason Shepherd 2019-08-06 00:55:17 UTC 
After discussing it with the engineering team and within prodsec we decided that this shouldn't be a vulnerability. setuid is needed for some features including 'ping' from within a pod. Also there is already an SCC option to disable it in OpenShift and Kubernetes:

https://kubernetes.io/docs/concepts/policy/pod-security-policy/#privilege-escalation
Comment 10 Jason Shepherd 2019-08-06 00:59:50 UTC 
Statement:

On Red Hat Enterprise Linux 7 or 8, when running a container with podman, or docker it's possible to add the security-opt 'no-new-privileges' to prevent this vulnerability. 

On OpenShift Container Platform 3.11, 4.1 and 4.1 it's possible to set the allowPrivilegeEscalation Security Context Constraint to 'false' to prevent this. Note that this is set to 'true' by default, and setting it to false will prevent certain binaries which require setuid to stop working, such as 'ping'. https://docs.openshift.com/container-platform/3.11/release_notes/ocp_3_11_release_notes.html
Comment 11 Daniel Walsh 2019-08-06 11:52:22 UTC 
We can setup ping to work without requiring any additional privs by modifying crio to automatically allow non priv user to create icmp packets.

https://github.com/cri-o/cri-o/pull/2378
Note You need to log in before you can comment on or make changes to this bug.