1823504 – (CVE-2020-5291) CVE-2020-5291 bubblewrap: privilege escalation in some kernel configurations

Bug 1823504 (CVE-2020-5291) - CVE-2020-5291 bubblewrap: privilege escalation in some kernel configurations

Summary: CVE-2020-5291 bubblewrap: privilege escalation in some kernel configurations

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-5291
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1823505 1823506 1823763 1824826 1824827
Blocks:	1823507
TreeView+	depends on / blocked

Reported:	2020-04-13 20:38 UTC by Guilherme de Almeida Suckevicz
Modified:	2021-02-16 20:16 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2020-11-05 14:21:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Guilherme de Almeida Suckevicz 2020-04-13 20:38:51 UTC

Bubblewrap (bwrap) before version 0.4.1, if installed in setuid mode and the kernel supports unprivileged user namespaces, then the `bwrap --userns2` option can be used to make the setuid process keep running as root while being traceable. This can in turn be used to gain root permissions. Note that this only affects the combination of bubblewrap in setuid mode (which is typically used when unprivileged user namespaces are not supported) and the support of unprivileged user namespaces. Known to be affected are: * Debian testing/unstable, if unprivileged user namespaces enabled (not default) * Debian buster-backports, if unprivileged user namespaces enabled (not default) * Arch if using `linux-hardened`, if unprivileged user namespaces enabled (not default) * Centos 7 flatpak COPR, if unprivileged user namespaces enabled (not default) This has been fixed in the 0.4.1 release, and all affected users should update.

Reference:
https://github.com/containers/bubblewrap/security/advisories/GHSA-j2qp-rvxj-43vj

Upstream commit:
https://github.com/containers/bubblewrap/commit/1f7e2ad948c051054b683461885a0215f1806240

Comment 1 Guilherme de Almeida Suckevicz 2020-04-13 20:39:14 UTC

Created bubblewrap tracking bugs for this issue:

Affects: epel-7 [bug 1823506]
Affects: fedora-all [bug 1823505]

Comment 2 Yadnyawalk Tale 2020-04-14 12:52:48 UTC

CloudForms 5.10 uses bubblewrap-0.3.3-2 which is vulnerable, CF 5.11 is not using bubblewrap somehow.

Comment 9 Bill Nottingham 2020-04-16 18:45:11 UTC

Per upstream changelog (https://github.com/containers/bubblewrap/releases/tag/v0.4.1), only 0.4.0 is vulnerable.

So none of Ansible Tower or CloudForms includes a version affected by this issue.

Comment 10 Borja Tarraso 2020-04-17 14:48:52 UTC

Statement:

Red Hat CloudForms 5.10 uses vulnerable bubblewrap package, however 5.11 is not vulnerable to this flaw. CloudForms may update bubblewrap in future.

Red Hat Ansible Tower is not vulnerable, as it uses 0.3.3 bubblewrap package version, only bubblewrap 0.4.0 package version is affected.

The version of bubblewrap package as shipped with Red Hat Enterprise Linux 8 is not affected by this issue. Although we have the affected code, Red Hat Enterprise Linux 8 bubblewrap doesn't use the setuid mechanism for privilege escalation, which is the attack vector for this issue, but capabilities instead. Red Hat Enterprise Linux's bubblewrap may be update in the future to a version
which includes the fix.

Comment 11 Product Security DevOps Team 2020-11-05 14:21:12 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-5291

Note You need to log in before you can comment on or make changes to this bug.

akarol
alexl
cmeyers
dmetzger
gblomqui
gmainwar
gmccullo
gtanzill
jfrey
jhardy
mabashia
mclasen
notting
notting
obarenbo
roliveri
rpetrell
simaishi
smallamp
smcdonal
walters