Bug 1045988 (CVE-2013-6441) - CVE-2013-6441 lxc: sshd template allow privilege escalation on host
Summary: CVE-2013-6441 lxc: sshd template allow privilege escalation on host
Alias: CVE-2013-6441
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2013-12-23 06:58 UTC by Kurt Seifried
Modified: 2021-02-17 07:02 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2013-12-23 07:02:25 UTC

Attachments (Terms of Use)

Description Kurt Seifried 2013-12-23 06:58:31 UTC
Salvatore Bonaccorso of the Debian Project reports:

Florian Sagar discovered and reported an error in the sshd template of
lxc allowing privilege escalation on the host. The error can be found


where the mount is not done read-only. There is already a public
pull/commit for this issue so might not anymore be embargoed (but
asking first here).


Comment 1 Kurt Seifried 2013-12-23 07:01:00 UTC

Red Hat would like to thank the Debian Project for reporting this issue. The Debian Project acknowledges Florian Sagar as the original reporter.

Comment 2 Kurt Seifried 2013-12-23 07:02:25 UTC

This issue did not affect the versions of libvirt (which includes lxc) as shipped with Red Hat Enterprise Linux 6 as they do not include the template file lxc-sshd.in.

Comment 3 Salvatore Bonaccorso 2013-12-26 10:02:38 UTC
Hi Kurt

As per feedback from upstream this CVE assigned is disputed. The change to make the mount entry bind,ro was done as good safety net to have. But having root access to a container allows to get root to the host (see e.g http://blog.bofh.it/debian/id_413), if not using unprivileged containers or selinux/apparmor to restrict the containers.

Comment 4 Vincent Danen 2014-01-07 17:56:16 UTC
To followup, a further patch was posted:


which is a similar hardening feature (or safety net).

As upstream indicated, it's a known and acknowledged limitation of LXC (when not used with userns or apparmor/selinux) that root in a container is the effective equivalent of root on the host (so an individual with root in an LXC container can can change the host's lxc-sshd regardless of this issue).

Note You need to log in before you can comment on or make changes to this bug.