Bug 1919391 (CVE-2021-20206) - CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type field in CNI configuration
Summary: CVE-2021-20206 containernetworking-cni: Arbitrary path injection via type fie...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-20206
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1924516 1924550 1924551 1924558 1924559 1925068 1925069 1925077 1925111 1925112 1925398 1926021 1926022 1926492 1926496 1926499 1926502 1926503 1926504 1930216 1930217 1930218 1930219 1931984 1931985 1931986 1931987 1931988 1931989 1931990 1931991 1931992 1931993 1931994 1931995 1934004 1934005 1934006 1935802 1942675 1924511 1924514 1924518 1924520 1924522 1924552 1924553 1924554 1924555 1924556 1924557 1924824 1924825 1924835 1924837 1925076 1925080 1925108 1925109 1925110 1925399 1926355 1926497 1926498 1926500 1926796 1926801 1935801 1935803
Blocks: 1919392 1926161
TreeView+ depends on / blocked
 
Reported: 2021-01-22 18:36 UTC by Pedro Sampaio
Modified: 2021-04-13 08:33 UTC (History)
62 users (show)

Fixed In Version: containernetworking/cni 0.8.1
Doc Type: If docs needed, set a value
Doc Text:
An improper limitation of path name flaw was found in containernetworking/cni. When specifying the plugin to load in the `type` field in the network configuration, it is possible to use special elements such as "../" separators to reference binaries elsewhere on the system. This flaw allows an attacker to execute other existing binaries other than the cni plugins/types, such as `reboot`. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Clone Of:
Environment:
Last Closed: 2021-03-10 15:05:45 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:0799 0 None None None 2021-03-10 11:16:14 UTC

Description Pedro Sampaio 2021-01-22 18:36:12 UTC
A flaw was found in libcni. A user may  be able to change the "type:" field in a CNI configuration to an arbitrary path and could execute arbitrary binaries on a host.

Upstream patch:

https://github.com/containernetworking/cni/pull/808

Comment 1 Mark Cooper 2021-01-29 07:50:21 UTC
Upstream fix: https://github.com/containernetworking/cni/pull/808

Comment 6 Mark Cooper 2021-02-03 07:47:44 UTC
Generally for this vulnerability adding and removing network definitions will be a privileged operation. However as this is a library it's difficult to determine all uses and as such considering the worst case and as this is unexpected behaviour it's considered a security issue.

The greatest risk will be to applications which load network definitions - however as it is a go mod library, go binaries which depend on containernetworking/cni may also be affected by this and affects for OpenShift containers have been added as such.

Comment 7 Lokesh Mandvekar 2021-02-03 13:16:53 UTC
containernetworking-plugins package should be looked at. It uses github.com/containernetworking/plugins which vendors in containernetworking/cni. https://github.com/containernetworking/plugins/blob/master/go.mod#L10

Comment 8 Lokesh Mandvekar 2021-02-03 13:18:12 UTC
(In reply to Lokesh Mandvekar from comment #7)
> containernetworking-plugins package should be looked at. It uses
> github.com/containernetworking/plugins which vendors in
> containernetworking/cni.
> https://github.com/containernetworking/plugins/blob/master/go.mod#L10

This package is present in both RHEL and Fedora.

Comment 9 Mark Cooper 2021-02-03 13:47:28 UTC
Our scans for the containers should account for that - but i'll double check to make sure. 

We're just confirming the RPM affects now, but good point about the rpm tho, will do, thanks @lsm5!

Comment 15 Mark Cooper 2021-02-05 06:02:58 UTC
Created containernetworking-plugins tracking bugs for this issue:

Affects: fedora-all [bug 1925399]


Created golang-github-containernetworking-cni tracking bugs for this issue:

Affects: fedora-all [bug 1925398]

Comment 17 Mark Cooper 2021-02-06 15:44:35 UTC
Acknowledgments:

Name: Casey Callendrello (Red Hat)

Comment 25 Mark Cooper 2021-02-09 13:30:12 UTC
Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 1926796]

Comment 26 Mark Cooper 2021-02-09 13:42:19 UTC
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 1926801]

Comment 28 RaTasha Tillery-Smith 2021-02-16 19:40:04 UTC
Statement:

OpenShift ServiceMesh (OSSM) does package a vulnerable version of containernetworking/cni, however, the NetworkDefinitionAttachment is defined in code and cannot be easily changed except through a user who has access to the operator namespace such as cluster-admin. As such, for OSSM, the impact is Low.

Comment 35 errata-xmlrpc 2021-03-10 11:16:09 UTC
This issue has been addressed in the following products:

  RHEL-8-CNV-2.6

Via RHSA-2021:0799 https://access.redhat.com/errata/RHSA-2021:0799

Comment 36 Product Security DevOps Team 2021-03-10 15:05:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-20206

Comment 37 errata-xmlrpc 2021-04-05 13:39:58 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1007 https://access.redhat.com/errata/RHSA-2021:1007

Comment 38 errata-xmlrpc 2021-04-05 13:55:05 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.7

Via RHSA-2021:1005 https://access.redhat.com/errata/RHSA-2021:1005


Note You need to log in before you can comment on or make changes to this bug.