A possible privilege escalation has been found in containers which modify the permissions of their local /etc/passwd. Within a container by default a user is assigned to the root group: sh-4.2$ id uid=1001(default) gid=0(root) groups=0(root) When this is combined with a loosening of permissions on /etc/passwd, it is possible for any user in the container to modify the passwd file and assume root. For example: https://github.com/operator-framework/presto/blob/master/Dockerfile.rhel#L75 chmod -R 774 /etc/passwd $JAVA_HOME/lib/security/cacerts && To then add a new root user (in a contrived example): oc rsh presto echo test::0:0:/root:/bin/bash >> /etc/passwd su test Additionally, as a result of OpenShift not implementing user namespaces as of yet, if root is achieved in the container - root is technically achieved on the host. It is our understanding that this chmod of /etc/passwd has have become necessary to support arbitrary user ids as per this document: https://docs.openshift.com/container-platform/4.2/openshift_images/create-images.html#images-create-guide-openshift_create-images The document does state, "that there are no security concerns with this arrangement", however from the above example we can see that this is not true. It should also be noted however, that containers in OpenShift do run under a restricted SCC context by default, with CAP_SETUID and CAP_SETGID both dropped. This increases the difficulty significantly to achieve access to the host directly. Even with protections like this (including SELinux), this technique provides a relatively easy first step in achieving a container escape and is still considered an escalation in privileges. The following containers so far have been identified to modify /etc/passwd: - hadoop - hive - jenkins-slave-base-rhel7 - openshift-enterprise-apb-base - openshift-enterprise-apb - openshift-enterprise-mediawiki - openshift-enterprise-tests - openshift-jenkins-2 - ose-metering-ansible-operator - presto - sso73-openshift
Overall the following 17 OpenShift containers contain the incorrect /etc/passwd permissions (some are built from the same repo): * hadoop-container * hive-container * jenkins-slave-base-rhel7-container * openshift-enterprise-ansible-operator-container * openshift-enterprise-ansible-service-broker-operator-container * openshift-enterprise-apb-base-container * openshift-enterprise-apb-tools-container * openshift-enterprise-mariadb-apb * openshift-enterprise-mediawiki-apb * openshift-enterprise-mediawiki-container * openshift-enterprise-mysql-apb * openshift-enterprise-postgresql-apb * openshift-enterprise-template-service-broker-operator-container * openshift-enterprise-tests-container * ose-metering-ansible-operator-container * presto-container * openshift-istio-kiali-rhel7-operator-container
Unembargoed. Have filed separate flaws for each container listed with a separate CVE.
Flaws filed for each container: * hadoop-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793278 * hive-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793279 * jenkins-slave-base-rhel7-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793282 * openshift-enterprise-ansible-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793277 * openshift-enterprise-ansible-service-broker-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793283 * openshift-enterprise-apb-base-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793286 * openshift-enterprise-apb-tools-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793302 * openshift-enterprise-mariadb-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793289 * openshift-enterprise-mediawiki-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793296 * openshift-enterprise-mediawiki-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793297 * openshift-enterprise-mysql-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793299 * openshift-enterprise-postgresql-apb - https://bugzilla.redhat.com/show_bug.cgi?id=1793301 * openshift-enterprise-template-service-broker-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793304 * openshift-enterprise-tests-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793287 * ose-metering-ansible-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793284 * presto-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793281 * openshift-istio-kiali-rhel7-operator-container - https://bugzilla.redhat.com/show_bug.cgi?id=1793305
Acknowledgments: Name: Joseph LaMagna-Reiter (SPR Inc.)
Noting for future reference, openshift4/ose-baremetal-installer-rhel8 also suffers from these weak permissions: https://catalog.redhat.com/software/containers/openshift4/ose-baremetal-installer-rhel8/5d94b782d70cc50ebeaa5950?container-tabs=dockerfile - line 25: chmod g+w /etc/passwd Seen here in container layer content: $ podman save openshift4/ose-baremetal-installer-rhel8 | tar -xvf - ... $ tar vtf 3e1bc69229c4f2c3c631d68524091f7f2452e5f3fb86b3f9967e201785051d23.tar | grep etc/passwd -rw-rw-r-- 0/0 765 2020-11-18 08:55 etc/passwd -rw-r--r-- 0/0 703 2020-10-30 06:09 etc/passwd- I'll clone one of the existing BZs for this container image shortly.