Salvatore Bonaccorso of the Debian Project reports:
Florian Sagar discovered and reported an error in the sshd template of
lxc allowing privilege escalation on the host. The error can be found
where the mount is not done read-only. There is already a public
pull/commit for this issue so might not anymore be embargoed (but
asking first here).
Red Hat would like to thank the Debian Project for reporting this issue. The Debian Project acknowledges Florian Sagar as the original reporter.
This issue did not affect the versions of libvirt (which includes lxc) as shipped with Red Hat Enterprise Linux 6 as they do not include the template file lxc-sshd.in.
As per feedback from upstream this CVE assigned is disputed. The change to make the mount entry bind,ro was done as good safety net to have. But having root access to a container allows to get root to the host (see e.g http://blog.bofh.it/debian/id_413), if not using unprivileged containers or selinux/apparmor to restrict the containers.
To followup, a further patch was posted:
which is a similar hardening feature (or safety net).
As upstream indicated, it's a known and acknowledged limitation of LXC (when not used with userns or apparmor/selinux) that root in a container is the effective equivalent of root on the host (so an individual with root in an LXC container can can change the host's lxc-sshd regardless of this issue).