2160349 – (CVE-2023-0229) CVE-2023-0229 openshift/apiserver-library-go: Bypass of SCC seccomp profile restrictions

Bug 2160349 (CVE-2023-0229) - CVE-2023-0229 openshift/apiserver-library-go: Bypass of SCC seccomp profile restrictions

Summary: CVE-2023-0229 openshift/apiserver-library-go: Bypass of SCC seccomp profile r...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2023-0229
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2155150 2160352
TreeView+	depends on / blocked

Reported:	2023-01-12 06:11 UTC by Sam Fowler
Modified:	2024-04-17 11:40 UTC (History)
CC List:	7 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, that contains an issue that can allow low-privileged users to set the seccomp profile for pods they control to "unconfined." By default, the seccomp profile used in the restricted-v2 Security Context Constraint (SCC) is "runtime/default," allowing users to disable seccomp for pods they can create and modify.
Clone Of:
Environment:
Last Closed:	2023-05-18 06:31:36 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:1325	0	None	None	None	2023-05-17 22:53:39 UTC

Description Sam Fowler 2023-01-12 06:11:03 UTC

In github.com/openshift/apiserver-library-go, used in OpenShift 4.12 and 4.11, a bug was found that can allows low privileged users to set the seccomp profile for pods they control to "unconfined". By default the seccomp profile used in the restricted-v2 Security Context Contstraint (SCC) is "runtime/default", thus this bug allows users disable seccomp for pods they can create and/or modify.

Seccomp is one of many security layers used in OpenShift, including SELinux, dropping of capabilities and running as non-root, so on its own disabling of seccomp does not allow a direct path to privilege escalation. However, it is possible that exploit of this bug could be used in combination with another vulnerability, e.g. a potential kernel privilege escalation flaw, to allow a user to escape a container.

Comment 7 errata-xmlrpc 2023-05-17 22:53:37 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1325 https://access.redhat.com/errata/RHSA-2023:1325

Comment 8 Product Security DevOps Team 2023-05-18 06:31:34 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-0229

Note You need to log in before you can comment on or make changes to this bug.