Bug 1757214 (CVE-2019-16884) - CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specifies a volume at /proc
Summary: CVE-2019-16884 runc: AppArmor/SELinux bypass with malicious image that specif...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-16884
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1759651 1760088 1760989 1760990 1757290 1759650 1764182 1765465 1765467 1765468
Blocks: 1757218
TreeView+ depends on / blocked
 
Reported: 2019-09-30 20:36 UTC by Guilherme de Almeida Suckevicz
Modified: 2019-12-17 10:47 UTC (History)
33 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-21 13:04:53 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3940 None None None 2019-11-21 09:50:31 UTC
Red Hat Product Errata RHSA-2019:4074 None None None 2019-12-03 21:05:49 UTC
Red Hat Product Errata RHSA-2019:4269 None None None 2019-12-17 10:47:37 UTC

Description Guilherme de Almeida Suckevicz 2019-09-30 20:36:53 UTC
runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

References:
https://github.com/opencontainers/runc/issues/2128

Comment 1 Dhananjay Arunesh 2019-10-01 05:37:28 UTC
Created runc tracking bugs for this issue:

Affects: fedora-all [bug 1757290]

Comment 2 Dave Baker 2019-10-01 12:27:47 UTC
According to the upstream bug report, this also affects SELinux labels:
- https://github.com/opencontainers/runc/issues/2128#issuecomment-535478352

Comment 3 Daniel Walsh 2019-10-01 12:58:29 UTC
Yes this is an SELinux issue as well as an AppArmor problem.

Comment 14 Marco Benatto 2019-10-11 21:17:48 UTC
Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1760989]
Affects: openstack-rdo [bug 1760990]

Comment 15 Marco Benatto 2019-10-11 21:24:03 UTC
Statement:

The AppArmor security module is not supported by Red Hat, on the other hand the flaw also affects SELinux based distributions like Red Hat Enterprise Linux.

Comment 16 Marco Benatto 2019-10-11 21:30:36 UTC
When creating a new container runc doesn't proper validate whether a non-procfs filesystem is being mounted on top of /proc mount point. As runc relies on attr entries to read or set SELinux labels and attacker may leverage this weakness by creating a crafted container image, with malicious values set on security attributes entry for processes, and mounted on top of container's /proc. This flaw may allow containers to run with more privileged SELinux labels than the default, allowing tasks confined inside the container instance to eventually execute non expected actions.
The security impact for this issue is considered Medium for Red Hat Enterprise Linux, as with SELinux the task still runs confined under a less privileged label than unconfined_t.

Comment 17 Giuseppe Scrivano 2019-10-14 13:44:56 UTC
WIP backports here: https://github.com/projectatomic/runc/pull/28

Comment 18 Sam Fowler 2019-10-25 07:30:17 UTC
Upstream Fix:

https://github.com/opencontainers/runc/pull/2129

Comment 20 errata-xmlrpc 2019-11-21 09:50:27 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.1

Via RHSA-2019:3940 https://access.redhat.com/errata/RHSA-2019:3940

Comment 21 Product Security DevOps Team 2019-11-21 13:04:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-16884

Comment 22 errata-xmlrpc 2019-12-03 21:05:47 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.2

Via RHSA-2019:4074 https://access.redhat.com/errata/RHSA-2019:4074

Comment 23 errata-xmlrpc 2019-12-17 10:47:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:4269 https://access.redhat.com/errata/RHSA-2019:4269


Note You need to log in before you can comment on or make changes to this bug.