Bug 1757214 (CVE-2019-16884) - CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc
Summary: CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specif...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16884
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1757290 1759650 1759651 1760088 1760989 1760990 1764182 1765465 1765467 1765468 1810703
Blocks: 1757218
TreeView+ depends on / blocked
 
Reported: 2019-09-30 20:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-09-07 20:42 UTC (History)
37 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-21 13:04:53 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3940 0 None None None 2019-11-21 09:50:31 UTC
Red Hat Product Errata RHSA-2019:4074 0 None None None 2019-12-03 21:05:49 UTC
Red Hat Product Errata RHSA-2019:4269 0 None None None 2019-12-17 10:47:37 UTC
Red Hat Product Errata RHSA-2020:1234 0 None None None 2020-04-01 00:26:26 UTC

Description Guilherme de Almeida Suckevicz 2019-09-30 20:36:53 UTC 
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

References:
https://github.com/opencontainers/runc/issues/2128
Comment 1 Dhananjay Arunesh 2019-10-01 05:37:28 UTC 
Created runc tracking bugs for this issue:

Affects: fedora-all [bug 1757290]
Comment 2 Dave Baker 2019-10-01 12:27:47 UTC 
According to the upstream bug report, this also affects SELinux labels:
- https://github.com/opencontainers/runc/issues/2128#issuecomment-535478352
Comment 3 Daniel Walsh 2019-10-01 12:58:29 UTC 
Yes this is an SELinux issue as well as an AppArmor problem.
Comment 14 Marco Benatto 2019-10-11 21:17:48 UTC 
Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1760989]
Affects: openstack-rdo [bug 1760990]
Comment 15 Marco Benatto 2019-10-11 21:24:03 UTC 
Statement:

The AppArmor security module is not supported by Red Hat, on the other hand the flaw also affects SELinux based distributions like Red Hat Enterprise Linux.
Comment 16 Marco Benatto 2019-10-11 21:30:36 UTC 
When creating a new container runc doesn't proper validate whether a non-procfs filesystem is being mounted on top of /proc mount point. As runc relies on attr entries to read or set SELinux labels and attacker may leverage this weakness by creating a crafted container image, with malicious values set on security attributes entry for processes, and mounted on top of container's /proc. This flaw may allow containers to run with more privileged SELinux labels than the default, allowing tasks confined inside the container instance to eventually execute non expected actions.
The security impact for this issue is considered Medium for Red Hat Enterprise Linux, as with SELinux the task still runs confined under a less privileged label than unconfined_t.
Comment 17 Giuseppe Scrivano 2019-10-14 13:44:56 UTC 
WIP backports here: https://github.com/projectatomic/runc/pull/28
Comment 18 Sam Fowler 2019-10-25 07:30:17 UTC 
Upstream Fix:

https://github.com/opencontainers/runc/pull/2129
Comment 20 errata-xmlrpc 2019-11-21 09:50:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3940 https://access.redhat.com/errata/RHSA-2019:3940
Comment 21 Product Security DevOps Team 2019-11-21 13:04:53 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16884
Comment 22 errata-xmlrpc 2019-12-03 21:05:47 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2019:4074 https://access.redhat.com/errata/RHSA-2019:4074
Comment 23 errata-xmlrpc 2019-12-17 10:47:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4269 https://access.redhat.com/errata/RHSA-2019:4269
Comment 28 errata-xmlrpc 2020-04-01 00:26:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:1234 https://access.redhat.com/errata/RHSA-2020:1234
Comment 29 Marco Benatto 2020-04-09 18:03:51 UTC 
This CVE was fixed in runc Red Hat Enterprise Linux 7.8 - Extra Packages via RHSA-2020:1232 https://access.redhat.com/errata/RHBA-2020:1232
Note You need to log in before you can comment on or make changes to this bug.