CVE-2022-24769

Default inheritable capabilities for linux container should be empty

Severity Score

5.9

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling programs with inheritable file capabilities to elevate those capabilities to the permitted set during `execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise unprivileged users and processes can execute those programs and gain the specified file capabilities up to the bounding set. Due to this bug, containers which included executable programs with inheritable file capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable file capabilities up to the container's bounding set. Containers which use Linux users and groups to perform privilege separation inside the container are most directly impacted. This bug did not affect the container security sandbox as the inheritable set never contained more capabilities than were included in the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop inheritable capabilities prior to the primary process starting.

Moby es un proyecto de código abierto creado por Docker para permitir y acelerar la contención de software. Fue encontrado un bug en Moby (Docker Engine) versiones anteriores a 20.10.14, en el que los contenedores eran iniciados incorrectamente con capacidades de proceso Linux heredables no vacías, creando un entorno Linux atípico y permitiendo que los programas con capacidades de archivo heredables elevaran esas capacidades al conjunto permitido durante "execve(2)". Normalmente, cuando los programas ejecutables presentan capacidades de archivo permitidas especificadas, los usuarios y procesos no privilegiados pueden ejecutar esos programas y conseguir las capacidades de archivo especificadas hasta el conjunto permitido. Debido a este bug, los contenedores que incluían programas ejecutables con capacidades de archivo heredables permitían que usuarios y procesos no privilegiados consiguieran adicionalmente estas capacidades de archivo heredables hasta el conjunto de límites del contenedor. Los contenedores que usan usuarios y grupos de Linux para llevar a cabo la separación de privilegios dentro del contenedor son los más directamente afectados. Este bug no afectaba a la caja de arena de seguridad del contenedor, ya que el conjunto heredable nunca contenía más capacidades que las incluidas en el conjunto delimitador del contenedor. Este bug ha sido corregido en Moby (Docker Engine) versión 20.10.14. Los contenedores en ejecución deben detenerse, eliminarse y volver a crearse para que sean restablecidas las capacidades heredables. Esta corrección cambia el comportamiento de Moby (Docker Engine) para que los contenedores se inicien con un entorno Linux más típico. Como medida de mitigación, el punto de entrada de un contenedor puede modificarse para usar una utilidad como "capsh(1)" para eliminar las capacidades heredables antes de que sea iniciado el proceso primario

A flaw was found in Moby (Docker Engine), where containers were started incorrectly with non-empty inheritable Linux process capabilities. This flaw allows an attacker with access to programs with inheritable file capabilities to elevate those capabilities to the permitted set when execve(2) runs. Containers using Linux users and groups to perform privilege separation inside the container are most directly impacted.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2022-02-10 CVE Reserved
2022-03-24 CVE Published
2024-02-08 EPSS Updated
2024-08-03 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-276: Incorrect Default Permissions
CWE-732: Incorrect Permission Assignment for Critical Resource

CAPEC

References (14)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2022/05/12/1	Mailing List
https://github.com/moby/moby/releases/tag/v20.10.14	Release Notes
https://github.com/moby/moby/security/advisories/GHSA-2mm7-x5h6-5pvq	Mitigation

URL	Date	SRC

URL	Date	SRC
https://github.com/moby/moby/commit/2bbc786e4c59761d722d2d1518cd0a32829bc07f	2024-01-31

URL	Date	SRC
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6PMQKCAPK2AR3DCYITJYMMNBEGQBGLCC	2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5AFKOQ5CE3CEIULWW4FLQKHFFU6FSYG	2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/A5FQJ3MLFSEKQYCFPFZIKYGBXPZUJFVY	2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FPOJUJZXGMIVKRS4QR75F6OIXNQ6LDBL	2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HIMAHZ6AUIKN7AX26KHZYBXVECIOVWBH	2024-01-31
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HQCVS7WBFSTKJFNX5PGDRARMTOFWV2O7	2024-01-31
https://security.gentoo.org/glsa/202401-31	2024-01-31
https://www.debian.org/security/2022/dsa-5162	2024-01-31
https://access.redhat.com/security/cve/CVE-2022-24769	2022-05-26
https://bugzilla.redhat.com/show_bug.cgi?id=2066837	2022-05-26

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mobyproject Search vendor "Mobyproject"	Moby Search vendor "Mobyproject" for product "Moby"	< 20.10.14 Search vendor "Mobyproject" for product "Moby" and version " < 20.10.14"	-	Affected	in	Linux Search vendor "Linux"	Linux Kernel Search vendor "Linux" for product "Linux Kernel"	-	-	Safe
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				34 Search vendor "Fedoraproject" for product "Fedora" and version "34"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				35 Search vendor "Fedoraproject" for product "Fedora" and version "35"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				36 Search vendor "Fedoraproject" for product "Fedora" and version "36"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				< 1.1.2 Search vendor "Linuxfoundation" for product "Runc" and version " < 1.1.2"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				11.0 Search vendor "Debian" for product "Debian Linux" and version "11.0"		-		Affected