CVE-2021-43816
Improper Preservation of Permissions in containerd
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
containerd es un tiempo de ejecución de contenedores de código abierto. En las instalaciones que usan SELinux, como EL8 (CentOS, RHEL), Fedora o SUSE MicroOS, con containerd desde la versión v1.5.0-beta.0 como interfaz de ejecución de contenedores de respaldo (CRI), un pod sin privilegios programado en el nodo puede enlazar el montaje, por medio del volumen hostPath, de cualquier archivo privilegiado y regular en el disco para un acceso completo de lectura/escritura (sans delete). Esto es conseguido al colocar la ubicación dentro del contenedor del montaje del volumen hostPath en "/etc/hosts", "/etc/hostname", o "/etc/resolv.conf". Estas ubicaciones están siendo reetiquetadas indiscriminadamente para que coincidan con la etiqueta del proceso del contenedor, lo que efectivamente eleva los permisos para los contenedores inteligentes que normalmente no podrían acceder a los archivos privilegiados del host. Este problema ha sido resuelto en versión 1.5.9. Se recomienda a usuarios que actualicen lo antes posible.
An incorrect permission assignment flaw was found in containerd. This flaw allows a local attacker to use a specially designed text file to read and write files outside of the container's scope.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2021-11-16 CVE Reserved
- 2022-01-05 CVE Published
- 2024-03-29 EPSS Updated
- 2024-08-04 CVE Updated
- 2024-08-04 First Exploit
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-281: Improper Preservation of Permissions
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c | Third Party Advisory |
| URL | Date | SRC |
|---|---|---|
| https://github.com/containerd/containerd/issues/6194 | 2024-08-04 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | >= 1.5.1 < 1.5.9 Search vendor "Linuxfoundation" for product "Containerd" and version " >= 1.5.1 < 1.5.9" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | - |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | beta0 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | beta1 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | beta2 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | beta3 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | beta4 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | rc0 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | rc1 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | rc2 |
Affected
| ||||||
| Linuxfoundation Search vendor "Linuxfoundation" | Containerd Search vendor "Linuxfoundation" for product "Containerd" | 1.5.0 Search vendor "Linuxfoundation" for product "Containerd" and version "1.5.0" | rc3 |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 34 Search vendor "Fedoraproject" for product "Fedora" and version "34" | - |
Affected
| ||||||
| Fedoraproject Search vendor "Fedoraproject" | Fedora Search vendor "Fedoraproject" for product "Fedora" | 35 Search vendor "Fedoraproject" for product "Fedora" and version "35" | - |
Affected
| ||||||