// For flags

CVE-2022-24769

Default inheritable capabilities for linux container should be empty

Severity Score

5.9
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.

Moby es un proyecto de código abierto creado por Docker para permitir y acelerar la contención de software. Fue encontrado un bug en Moby (Docker Engine) versiones anteriores a 20.10.14, en el que los contenedores eran iniciados incorrectamente con capacidades de proceso Linux heredables no vacías, creando un entorno Linux atípico y permitiendo que los programas con capacidades de archivo heredables elevaran esas capacidades al conjunto permitido durante "execve(2)". Normalmente, cuando los programas ejecutables presentan capacidades de archivo permitidas especificadas, los usuarios y procesos no privilegiados pueden ejecutar esos programas y conseguir las capacidades de archivo especificadas hasta el conjunto permitido. Debido a este bug, los contenedores que incluían programas ejecutables con capacidades de archivo heredables permitían que usuarios y procesos no privilegiados consiguieran adicionalmente estas capacidades de archivo heredables hasta el conjunto de límites del contenedor. Los contenedores que usan usuarios y grupos de Linux para llevar a cabo la separación de privilegios dentro del contenedor son los más directamente afectados. Este bug no afectaba a la caja de arena de seguridad del contenedor, ya que el conjunto heredable nunca contenía más capacidades que las incluidas en el conjunto delimitador del contenedor. Este bug ha sido corregido en Moby (Docker Engine) versión 20.10.14. Los contenedores en ejecución deben detenerse, eliminarse y volver a crearse para que sean restablecidas las capacidades heredables. Esta corrección cambia el comportamiento de Moby (Docker Engine) para que los contenedores se inicien con un entorno Linux más típico. Como medida de mitigación, el punto de entrada de un contenedor puede modificarse para usar una utilidad como "capsh(1)" para eliminar las capacidades heredables antes de que sea iniciado el proceso primario

A flaw was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. Containers using Linux users and groups to perform privilege separation inside the container are most directly impacted.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-10 CVE Reserved
  • 2022-03-24 CVE Published
  • 2024-08-03 CVE Updated
  • 2024-10-28 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-276: Incorrect Default Permissions
  • CWE-732: Incorrect Permission Assignment for Critical Resource
CAPEC
References (14)
URL Tag Source
http://www.openwall.com/lists/oss-security/2022/05/12/1 Mailing List
https://github.com/moby/moby/releases/tag/v20.10.14 Release Notes
https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq Mitigation
URL Date SRC
URL Date SRC
https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f 2024-01-31
URL Date SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC 2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG 2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY 2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL 2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH 2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7 2024-01-31
https://security.gentoo.org/glsa/202401-31 2024-01-31
https://www.debian.org/security/2022/dsa-5162 2024-01-31
https://access.redhat.com/security/cve/CVE-2022-24769 2022-05-26
https://bugzilla.redhat.com/show_bug.cgi?id=2066837 2022-05-26
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mobyproject
Search vendor "Mobyproject"
 Moby
Search vendor "Mobyproject" for product "Moby"
 < 20.10.14
Search vendor "Mobyproject" for product "Moby" and version " < 20.10.14"
-
Affected
in Linux
Search vendor "Linux"
 Linux Kernel
Search vendor "Linux" for product "Linux Kernel"
--
Safe
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 34
Search vendor "Fedoraproject" for product "Fedora" and version "34"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 35
Search vendor "Fedoraproject" for product "Fedora" and version "35"
-
Affected
Fedoraproject
Search vendor "Fedoraproject"
 Fedora
Search vendor "Fedoraproject" for product "Fedora"
 36
Search vendor "Fedoraproject" for product "Fedora" and version "36"
-
Affected
Linuxfoundation
Search vendor "Linuxfoundation"
 Runc
Search vendor "Linuxfoundation" for product "Runc"
 < 1.1.2
Search vendor "Linuxfoundation" for product "Runc" and version " < 1.1.2"
-
Affected
Debian
Search vendor "Debian"
 Debian Linux
Search vendor "Debian" for product "Debian Linux"
 11.0
Search vendor "Debian" for product "Debian Linux" and version "11.0"
-
Affected