Bug 2174485 (CVE-2023-25173) - CVE-2023-25173 containerd: Supplementary groups are not set up properly
Summary: CVE-2023-25173 containerd: Supplementary groups are not set up properly
Keywords:
Status: NEW
Alias: CVE-2023-25173
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2174512 2174513 2174486 2174511 2174514 2174515 2174517 2174518 2174519 2174520 2174521 2174522 2174523 2174524 2174525 2174526 2174527 2174528 2174529 2174530 2174531 2174532 2174533 2174534 2174535 2174536 2174537 2174538 2174539 2174540 2174541 2174542 2174543 2174544 2174545 2174546 2174547 2174548 2174549 2174550 2174551 2174552 2174553 2174554 2174555 2174556 2174557 2174558 2174559 2174560 2174561 2174562 2175064 2175065 2175066 2175067 2175068 2175069 2175070 2175071 2175072 2175073 2175074 2175075 2175692 2175693
Blocks: 2170820
TreeView+ depends on / blocked
 
Reported: 2023-03-01 18:39 UTC by Anten Skrabec
Modified: 2025-05-06 08:28 UTC (History)
96 users (show)

Fixed In Version: containerd 1.5.18, containerd 1.6.18
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:31:31 UTC
Red Hat Product Errata RHSA-2023:1372 0 None None None 2023-05-10 00:28:42 UTC
Red Hat Product Errata RHSA-2023:2029 0 None None None 2023-05-10 16:44:53 UTC
Red Hat Product Errata RHSA-2023:2107 0 None None None 2023-05-04 01:50:14 UTC
Red Hat Product Errata RHSA-2023:3450 0 None None None 2023-06-05 16:44:20 UTC
Red Hat Product Errata RHSA-2023:3455 0 None None None 2023-06-05 23:42:48 UTC
Red Hat Product Errata RHSA-2023:3537 0 None None None 2023-06-13 13:10:31 UTC
Red Hat Product Errata RHSA-2023:4025 0 None None None 2023-07-18 00:18:36 UTC
Red Hat Product Errata RHSA-2023:4226 0 None None None 2023-07-27 01:10:07 UTC
Red Hat Product Errata RHSA-2023:4488 0 None None None 2023-08-07 00:27:43 UTC
Red Hat Product Errata RHSA-2023:4671 0 None None None 2023-08-23 16:31:15 UTC
Red Hat Product Errata RHSA-2023:5006 0 None None None 2023-10-31 12:54:34 UTC
Red Hat Product Errata RHSA-2023:5314 0 None None None 2023-09-20 15:43:19 UTC
Red Hat Product Errata RHSA-2023:6473 0 None None None 2023-11-07 08:17:01 UTC
Red Hat Product Errata RHSA-2023:6474 0 None None None 2023-11-07 08:17:24 UTC
Red Hat Product Errata RHSA-2023:6817 0 None None None 2023-11-08 14:03:34 UTC
Red Hat Product Errata RHSA-2023:6939 0 None None None 2023-11-14 15:17:00 UTC

Description Anten Skrabec 2023-03-01 18:39:19 UTC 
containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.
Comment 1 Anten Skrabec 2023-03-01 18:39:32 UTC 
Created containerd tracking bugs for this issue:

Affects: fedora-all [bug 2174486]
Comment 2 Anten Skrabec 2023-03-01 20:15:56 UTC 
Created apptainer tracking bugs for this issue:

Affects: epel-all [bug 2174511]
Affects: fedora-all [bug 2174518]


Created buildah tracking bugs for this issue:

Affects: fedora-all [bug 2174519]


Created conmon tracking bugs for this issue:

Affects: fedora-all [bug 2174520]


Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2174521]


Created cri-o:1.20/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2174522]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-8 [bug 2174515]
Affects: fedora-36 [bug 2174523]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2174524]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2174525]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2174526]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2174527]


Created doctl tracking bugs for this issue:

Affects: fedora-37 [bug 2174541]


Created golang-github-containerd-fuse-overlayfs-snapshotter tracking bugs for this issue:

Affects: fedora-36 [bug 2174528]


Created golang-github-deislabs-oras tracking bugs for this issue:

Affects: fedora-all [bug 2174529]


Created golang-github-docker-slim tracking bugs for this issue:

Affects: fedora-37 [bug 2174542]
Affects: fedora-all [bug 2174530]


Created golang-github-google-containerregistry tracking bugs for this issue:

Affects: fedora-36 [bug 2174531]


Created golang-github-moby-buildkit tracking bugs for this issue:

Affects: fedora-36 [bug 2174532]


Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2174512]
Affects: fedora-36 [bug 2174533]


Created golang-gvisor tracking bugs for this issue:

Affects: fedora-all [bug 2174534]


Created golang-helm-3 tracking bugs for this issue:

Affects: fedora-all [bug 2174543]


Created manifest-tool tracking bugs for this issue:

Affects: fedora-36 [bug 2174535]


Created moby-engine tracking bugs for this issue:

Affects: fedora-all [bug 2174544]


Created origin tracking bugs for this issue:

Affects: fedora-all [bug 2174545]


Created pack tracking bugs for this issue:

Affects: epel-8 [bug 2174517]
Affects: fedora-36 [bug 2174536]


Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2174537]


Created podman-tui tracking bugs for this issue:

Affects: fedora-all [bug 2174538]


Created reg tracking bugs for this issue:

Affects: epel-all [bug 2174513]
Affects: fedora-36 [bug 2174539]


Created singularity-ce tracking bugs for this issue:

Affects: epel-all [bug 2174514]


Created stargz-snapshotter tracking bugs for this issue:

Affects: fedora-all [bug 2174540]
Comment 10 Lokesh Mandvekar 2023-03-02 10:42:00 UTC 
Hi Anten / prodsec, for future cve bzs, could you please also include a link to the vulnerable code + patch that fixes it? Sure, one could google around, but it'd be really convenient to have it in the Bug description itself. I say this because I've noticed many of the golang packages often don't end up using the actual vulnerable code, so they may not need any updates.
Comment 13 TEJ RATHI 2023-03-03 06:40:53 UTC 
References:
https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a
https://github.com/containerd/containerd/releases/tag/v1.5.18
https://github.com/containerd/containerd/releases/tag/v1.6.18
https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
Comment 25 errata-xmlrpc 2023-05-04 01:50:10 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2023:2107 https://access.redhat.com/errata/RHSA-2023:2107
Comment 26 errata-xmlrpc 2023-05-10 00:28:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1372 https://access.redhat.com/errata/RHSA-2023:1372
Comment 27 errata-xmlrpc 2023-05-10 16:44:49 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Security Profiles Operator stable on RHEL-8
  Red Hat OpenShift Security Profiles Operator stable on RHEL-9

Via RHSA-2023:2029 https://access.redhat.com/errata/RHSA-2023:2029
Comment 30 errata-xmlrpc 2023-05-17 22:31:25 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326
Comment 32 errata-xmlrpc 2023-06-05 16:44:15 UTC 
This issue has been addressed in the following products:

  Openshift Serverless 1 on RHEL 8

Via RHSA-2023:3450 https://access.redhat.com/errata/RHSA-2023:3450
Comment 33 errata-xmlrpc 2023-06-05 23:42:44 UTC 
This issue has been addressed in the following products:

  RHOSS-1.29-RHEL-8

Via RHSA-2023:3455 https://access.redhat.com/errata/RHSA-2023:3455
Comment 34 errata-xmlrpc 2023-06-13 13:10:27 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:3537 https://access.redhat.com/errata/RHSA-2023:3537
Comment 38 errata-xmlrpc 2023-07-18 00:18:33 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:4025 https://access.redhat.com/errata/RHSA-2023:4025
Comment 39 errata-xmlrpc 2023-07-27 01:10:02 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:4226 https://access.redhat.com/errata/RHSA-2023:4226
Comment 41 errata-xmlrpc 2023-08-07 00:27:39 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:4488 https://access.redhat.com/errata/RHSA-2023:4488
Comment 42 errata-xmlrpc 2023-08-23 16:31:10 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:4671 https://access.redhat.com/errata/RHSA-2023:4671
Comment 43 errata-xmlrpc 2023-09-20 15:43:14 UTC 
This issue has been addressed in the following products:

  OADP-1.1-RHEL-8

Via RHSA-2023:5314 https://access.redhat.com/errata/RHSA-2023:5314
Comment 44 errata-xmlrpc 2023-10-31 12:54:30 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2023:5006 https://access.redhat.com/errata/RHSA-2023:5006
Comment 45 errata-xmlrpc 2023-11-07 08:16:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6473 https://access.redhat.com/errata/RHSA-2023:6473
Comment 46 errata-xmlrpc 2023-11-07 08:17:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6474 https://access.redhat.com/errata/RHSA-2023:6474
Comment 47 errata-xmlrpc 2023-11-08 14:03:29 UTC 
This issue has been addressed in the following products:

  RHEL-9-CNV-4.14

Via RHSA-2023:6817 https://access.redhat.com/errata/RHSA-2023:6817
Comment 48 errata-xmlrpc 2023-11-14 15:16:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6939 https://access.redhat.com/errata/RHSA-2023:6939
Note You need to log in before you can comment on or make changes to this bug.