Bug 1045988 (CVE-2013-6441) - CVE-2013-6441 lxc: sshd template allow privilege escalation on host
Summary: CVE-2013-6441 lxc: sshd template allow privilege escalation on host
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2013-6441
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-12-23 06:58 UTC by Kurt Seifried
Modified: 2021-02-17 07:02 UTC (History)
8 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-23 07:02:25 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2013-12-23 06:58:31 UTC
Salvatore Bonaccorso of the Debian Project reports:

Florian Sagar discovered and reported an error in the sshd template of
lxc allowing privilege escalation on the host. The error can be found
on 

https://github.com/lxc/lxc/blob/master/templates/lxc-sshd.in#L131

where the mount is not done read-only. There is already a public
pull/commit for this issue so might not anymore be embargoed (but
asking first here).

https://github.com/dotcloud/lxc/pull/1
https://github.com/usrflo/lxc/commit/fc09866c98468f3d832289d6608ee611a2c3c387

Comment 1 Kurt Seifried 2013-12-23 07:01:00 UTC
Acknowledgment:

Red Hat would like to thank the Debian Project for reporting this issue. The Debian Project acknowledges Florian Sagar as the original reporter.

Comment 2 Kurt Seifried 2013-12-23 07:02:25 UTC
Statement:

This issue did not affect the versions of libvirt (which includes lxc) as shipped with Red Hat Enterprise Linux 6 as they do not include the template file lxc-sshd.in.

Comment 3 Salvatore Bonaccorso 2013-12-26 10:02:38 UTC
Hi Kurt

As per feedback from upstream this CVE assigned is disputed. The change to make the mount entry bind,ro was done as good safety net to have. But having root access to a container allows to get root to the host (see e.g http://blog.bofh.it/debian/id_413), if not using unprivileged containers or selinux/apparmor to restrict the containers.

Comment 4 Vincent Danen 2014-01-07 17:56:16 UTC
To followup, a further patch was posted:

https://github.com/lxc/lxc/commit/f4d5cc8e1f39d132b61e110674528cac727ae0e2

which is a similar hardening feature (or safety net).

As upstream indicated, it's a known and acknowledged limitation of LXC (when not used with userns or apparmor/selinux) that root in a container is the effective equivalent of root on the host (so an individual with root in an LXC container can can change the host's lxc-sshd regardless of this issue).


Note You need to log in before you can comment on or make changes to this bug.