Bug 2029439 (CVE-2021-43784) - CVE-2021-43784 runc: integer overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration
Summary: CVE-2021-43784 runc: integer overflow in netlink bytemsg length field allows ...
Keywords:
Status: NEW
Alias: CVE-2021-43784
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2033659 2033660 2035282 2029440 2029441 2030395 2033656 2033657 2033658 2035281
Blocks: 2029442
TreeView+ depends on / blocked
 
Reported: 2021-12-06 14:12 UTC by Guilherme de Almeida Suckevicz
Modified: 2022-05-09 08:30 UTC (History)
26 users (show)

Fixed In Version: runc 1.0.3
Doc Type: If docs needed, set a value
Doc Text:
An integer overflow vulnerability was found in runC. This issue occurs due to an incorrect netlink encoder handling the possibility of an integer overflow in the 16-bit length field for the byte array attribute type. This flaw allows an attacker who can include a large enough malicious byte array attribute to bypass the namespace restrictions of the container by simply adding their netlink payload, which disables all namespaces.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Guilherme de Almeida Suckevicz 2021-12-06 14:12:07 UTC
In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C portion of our code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration.

References:
https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
https://www.openwall.com/lists/oss-security/2021/12/06/1

Comment 1 Guilherme de Almeida Suckevicz 2021-12-06 14:14:15 UTC
Created container-tools:2018.0/runc tracking bugs for this issue:

Affects: fedora-all [bug 2029441]


Created runc tracking bugs for this issue:

Affects: fedora-all [bug 2029440]

Comment 2 Przemyslaw Roguski 2021-12-07 14:01:31 UTC
Upstream patch PR:
https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae

Comment 3 Przemyslaw Roguski 2021-12-08 16:16:42 UTC
Based on the upstream advisory details, I downgraded the impact to LOW, because prior to commit 9c44407 it was almost not exploitable (at a glance).
The commit 9c44407 was not present in any release of runc prior to the discovery of this bug.

Upstream explanation:
"
Prior to 9c44407, in practice it was fairly difficult to specify an arbitrary-length netlink message with most container runtimes. The only user-controlled byte array was the namespace paths attributes which can be specified in runc's config.json, but as far as we can tell no container runtime gives raw access to that configuration setting -- and having raw access to that setting would allow the attacker to disable namespace protections entirely anyway (setting them to /proc/1/ns/... for instance). In addition, each namespace path is limited to 4096 bytes (with only 7 namespaces supported by runc at the moment) meaning that even with custom namespace paths it appears an attacker still cannot shove enough bytes into the netlink bytemsg in order to overflow the uint16 counter.

However, out of an abundance of caution (given how old this bug is) we decided to treat it as a potentially exploitable vulnerability with a low severity. After 9c44407 (which was not present in any release of runc prior to the discovery of this bug), all mount paths are included as a giant netlink message which means that this bug becomes significantly more exploitable in more reasonable threat scenarios.
"


Note You need to log in before you can comment on or make changes to this bug.