Bug 1874268 (CVE-2020-14370) - CVE-2020-14370 podman: environment variables leak between containers when started via Varlink or Docker-compatible REST API
Summary: CVE-2020-14370 podman: environment variables leak between containers when sta...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-14370
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1874270 1874271 1874272 1898991 1898992 1876286 1877296 1881062 1881345
Blocks: 1862323
TreeView+ depends on / blocked
 
Reported: 2020-08-31 20:45 UTC by Guilherme de Almeida Suckevicz
Modified: 2020-11-18 13:12 UTC (History)
20 users (show)

Fixed In Version: podman 2.0.5
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure vulnerability was found in containers/podman. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first container will get leaked into subsequent containers. An attacker who has control over the subsequent containers could use this flaw to gain access to sensitive information stored in such variables.
Clone Of:
Environment:
Last Closed: 2020-10-27 20:21:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:4297 None None None 2020-10-27 14:54:15 UTC
Red Hat Product Errata RHSA-2020:5056 None None None 2020-11-10 13:54:12 UTC

Description Guilherme de Almeida Suckevicz 2020-08-31 20:45:00 UTC
A flaw was discovered in Podman before upstream version 2.0.5. When using the deprecated Varlink API or the Docker-compatible REST API, if multiple containers are created in a short duration, the environment variables from the first containers will get leaked into subsequent containers. An attacker who has control over those subsequent containers may get access to secrets shared with previous containers through environment variables.

Comment 4 Riccardo Schirone 2020-09-21 10:59:00 UTC
The flaw lies in pkg/spec/spec.go:createConfigToOCISpec() function, where the variable DefaultEnvVariables of the env package is used and modified without making a copy of it. Thus when creating multiple containers in such a way that createConfigToOCISpec() is used, variables defined for previously created containers are leaked to newer containers.

Function createConfigToOCISpec() is used by varlink API or by the REST API, in particular the Docker-compatible API.

Comment 8 Riccardo Schirone 2020-09-21 13:58:56 UTC
To actually get access to possible secrets passed through environment variables, an attacker would require access to containers in the infrastructure, created in such a way to trigger this flaw.

Comment 9 Riccardo Schirone 2020-09-21 14:29:07 UTC
By default, in Red Hat Enterprise Linux 8 when using the podman socket/service through systemd, the varlink session automatically expires after 60 seconds, so to leak environment variables from one container to another they have to be created in a short time.

Comment 10 Mark Cooper 2020-09-22 05:20:09 UTC
Statement:

Whilst OpenShift Container Platform (OCP) does include podman, the Varlink API is not enabled by default. However, as it is trivial to activate this feature, OCP has been marked as affected.

Comment 11 Riccardo Schirone 2020-09-22 08:43:28 UTC
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1881345]

Comment 12 errata-xmlrpc 2020-10-27 14:54:26 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2020:4297 https://access.redhat.com/errata/RHSA-2020:4297

Comment 13 Product Security DevOps Team 2020-10-27 20:21:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-14370

Comment 14 errata-xmlrpc 2020-11-10 13:54:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2020:5056 https://access.redhat.com/errata/RHSA-2020:5056


Note You need to log in before you can comment on or make changes to this bug.