CVE-2020-15257

containerd-shim API Exposed to Host Network Containers

Severity Score

5.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.

containerd es un tiempo de ejecución de contenedor estándar de la industria y está disponible como demonio para Linux y Windows. En containerd anterior a las versiones 1.3.9 y 1.4.3, la API containerd-shim está expuesta inapropiadamente a los contenedores de red del host. Los controles de acceso para el socket de la API de shim verificaron que el proceso de conexión tuviera un UID efectivo de 0, pero no restringieron de otra manera el acceso al socket de dominio Unix abstracto. Esto permitiría que los contenedores maliciosos se ejecuten en el mismo espacio de nombres de red que el shim, con un UID efectivo de 0 pero con privilegios reducidos, para causar que nuevos procesos se ejecuten con privilegios elevados. Esta vulnerabilidad se ha corregido en containerd versiones 1.3.9 y 1.4.3. Los usuarios deben actualizar a estas versiones tan pronto como se publiquen. Cabe señalar que los contenedores iniciados con una versión anterior de containerd-shim deben detenerse y reiniciarse, ya que los contenedores en ejecución seguirán siendo vulnerables inclusive después de una actualización. Si no proporciona la capacidad para que los usuarios que no son de confianza inicien contenedores en el mismo espacio de nombres de red que el shim (normalmente el espacio de nombres de red "host", por ejemplo, con docker run --net=host o hostNetwork: true en un pod de Kubernetes) y ejecutar con un UID efectivo de 0, no es vulnerable a este problema. Si está ejecutando contenedores con una configuración vulnerable, puede denegar el acceso a todos los sockets abstractos con AppArmor agregando una línea similar a denegar unix addr=@**, para su política. Es una buena práctica ejecutar contenedores con un conjunto reducido de privilegios, con un UID distinto de cero y con espacios de nombres aislados. Los encargados de mantenimiento de contenedores no aconsejan compartir espacios de nombres con el host. Reducir el conjunto de mecanismos de aislamiento usados para un contenedor necesariamente aumenta el privilegio de ese contenedor, independientemente del tiempo de ejecución del contenedor que se use para ejecutar ese contenedor

A flaw was found in containerd. Access controls for the shim's API socket verified that a connecting process had an effective UID of 0, but otherwise did not restrict access to the abstract Unix domain socket. This could allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2020-06-25 CVE Reserved
2020-12-01 CVE Published
2023-03-08 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-269: Improper Privilege Management
CWE-669: Incorrect Resource Transfer Between Spheres

CAPEC

References (8)

URL	Tag	Source
https://github.com/containerd/containerd/releases/tag/v1.4.3	Third Party Advisory
https://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4	Mitigation

URL	Date	SRC

URL	Date	SRC
https://github.com/containerd/containerd/commit/4a4bb851f5da563ff6e68a83dc837c7699c469ad	2023-11-07

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LNKXLOLZWO5FMAPX63ZL7JNKTNNT5NQD	2023-11-07
https://security.gentoo.org/glsa/202105-33	2023-11-07
https://www.debian.org/security/2021/dsa-4865	2023-11-07
https://access.redhat.com/security/cve/CVE-2020-15257	2022-05-11
https://bugzilla.redhat.com/show_bug.cgi?id=1899487	2022-05-11

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Containerd Search vendor "Linuxfoundation" for product "Containerd"				< 1.3.9 Search vendor "Linuxfoundation" for product "Containerd" and version " < 1.3.9"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Containerd Search vendor "Linuxfoundation" for product "Containerd"				>= 1.4.0 < 1.4.3 Search vendor "Linuxfoundation" for product "Containerd" and version " >= 1.4.0 < 1.4.3"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				33 Search vendor "Fedoraproject" for product "Fedora" and version "33"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected