Bug 2026675 (CVE-2021-4024) - CVE-2021-4024 podman: podman machine spawns gvproxy with port bound to all IPs [NEEDINFO]
Summary: CVE-2021-4024 podman: podman machine spawns gvproxy with port bound to all IPs
Keywords:
Status: NEW
Alias: CVE-2021-4024
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2029451 2026676 2029450 2029452
Blocks: 2026677 2026929
TreeView+ depends on / blocked
 
Reported: 2021-11-25 13:35 UTC by Pedro Sampaio
Modified: 2022-05-19 11:39 UTC (History)
22 users (show)

Fixed In Version: podman 3.4.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in podman. The `podman machine` function (used to create and manage Podman virtual machine containing a Podman process) spawns a `gvproxy` process on the host system. The `gvproxy` API is accessible on port 7777 on all IP addresses on the host. If that port is open on the host's firewall, an attacker can potentially use the `gvproxy` API to forward ports on the host to ports in the VM, making private services on the VM accessible to the network. This issue could be also used to interrupt the host's services by forwarding all ports to the VM.
Clone Of:
Environment:
Last Closed:
tsweeney: needinfo? (mheon)


Attachments (Terms of Use)

Description Pedro Sampaio 2021-11-25 13:35:46 UTC
`podman` machine spawns the `gvproxy` process, which is intended to forward ports on the host machine to the VM. The `gvproxy` API runs on Port 7777, but binds to all IPs on the host potentially making private services on the VM accessible to the public internet.

Comment 1 Pedro Sampaio 2021-11-25 13:36:13 UTC
Created podman tracking bugs for this issue:

Affects: fedora-all [bug 2026676]

Comment 2 Przemyslaw Roguski 2021-11-26 13:33:50 UTC
Issue also mentioned in the Internet.
References:
https://twitter.com/discordianfish/status/1463462371675066371

Comment 4 Przemyslaw Roguski 2021-11-29 15:42:30 UTC
This vulnerability is impacting Podman version >=3.3.0 and >=3.4.0 
The port forwarding and gvproxy support was introduced by this PR:
https://github.com/containers/podman/commit/7ef3981abe2412727840a2886489a08c03a05299


Fix is already merged in the main Podman branch:
https://github.com/containers/podman/pull/12283
But new version is not released yet.

Comment 5 Tom Sweeney 2021-11-30 23:00:30 UTC
@mheon@redhat.com Looks like another candidate for Podman v3.4.3

Comment 8 Przemyslaw Roguski 2021-12-09 11:33:16 UTC
Podman v3.4.3 contains the fix for this CVE:
https://github.com/containers/podman/releases/tag/v3.4.3

Comment 9 Fedora Update System 2021-12-17 01:10:46 UTC
FEDORA-2021-6bc3fe7129 has been pushed to the Fedora 35 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 11 Fedora Update System 2022-02-08 01:07:48 UTC
FEDORA-2021-6bd024d2a7 has been pushed to the Fedora 34 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.