2152703 – (CVE-2022-4318) CVE-2022-4318 cri-o: /etc/passwd tampering privesc

Bug 2152703 (CVE-2022-4318) - CVE-2022-4318 cri-o: /etc/passwd tampering privesc

Summary: CVE-2022-4318 cri-o: /etc/passwd tampering privesc

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2022-4318
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2155653 2152788 2155654 2155693 2155694 2155695 2155696 2155697 2155698 2155699 2155700
Blocks:	2142216
TreeView+	depends on / blocked

Reported:	2022-12-12 18:23 UTC by Sage McTaggart
Modified:	2023-11-15 22:07 UTC (History)
CC List:	13 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in cri-o. This issue allows the addition of arbitrary lines into /etc/passwd by use of a specially crafted environment variable.
Clone Of:
Environment:
Last Closed:	2023-03-07 19:11:40 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:1033	0	None	None	None	2023-03-07 10:47:16 UTC
Red Hat Product Errata	RHSA-2023:1503	0	None	None	None	2023-04-04 11:42:43 UTC

Description Sage McTaggart 2022-12-12 18:23:38 UTC

It is possible to craft an environment variable with newlines to add entries to /etc/passwd. Using the default SCC prevents the privesc. A malicious user could use a non-default SCC (anyuid, for example) that allows the process to become root on the host.

Comment 5 Anten Skrabec 2022-12-21 18:24:30 UTC

Created cri-o tracking bugs for this issue:

Affects: fedora-all [bug 2155654]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: epel-8 [bug 2155653]

Comment 6 Anten Skrabec 2022-12-21 22:57:53 UTC

Created cri-o:1.20/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155693]


Created cri-o:1.21/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155694]


Created cri-o:1.22/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155695]


Created cri-o:1.23/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155696]


Created cri-o:1.24/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155697]
Affects: fedora-37 [bug 2155699]


Created cri-o:1.25/cri-o tracking bugs for this issue:

Affects: fedora-36 [bug 2155698]
Affects: fedora-37 [bug 2155700]

Comment 7 errata-xmlrpc 2023-03-07 10:47:15 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1033 https://access.redhat.com/errata/RHSA-2023:1033

Comment 8 Product Security DevOps Team 2023-03-07 19:11:37 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-4318

Comment 11 errata-xmlrpc 2023-04-04 11:42:41 UTC

This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:1503 https://access.redhat.com/errata/RHSA-2023:1503

Note You need to log in before you can comment on or make changes to this bug.