containerd容器内文件权限机制实现不当

admin

0
文章

0
评论

2023-11-30 03:33:41 Ali_nvd 来源：ZONE.CI 全球网 0 阅读模式

中危 containerd容器内文件权限机制实现不当

CVE编号

CVE-2023-25173

利用情况

暂无

补丁情况

官方补丁

披露时间

2023-02-16

漏洞描述

containerd是主流的容器运行时环境。在受影响版本中，containerd对系统用户附加组(supplementary group)的实现机制存在缺陷，导致容器内的文件权限在通过组设置拒绝访问权限时(negative group)，可以被绕过，容器内的用户能够访问到同一个容器内其不允许访问的文件。漏洞源于在Linux等系统中会将用户主要组(primary group)权限拷贝到附加组，而OCI中对用户主要组和附加组的实现没有明确规范，导致各个容器运行时实现有差异，出现文件权限控制机制没有被正确实现，攻击者可以通过附加组权限访问限制文件。

解决建议

建议您更新当前系统或软件至最新版，完成漏洞的修复。

参考链接
https://github.com/advisories/GHSA-4wjj-jwc9-2x96
https://github.com/advisories/GHSA-fjm8-m7m6-2fjp
https://github.com/advisories/GHSA-phjr-8j92-w5v7
https://github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead...
https://github.com/containerd/containerd/releases/tag/v1.5.18
https://github.com/containerd/containerd/releases/tag/v1.6.18
https://github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p
https://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://lists.fedoraproject.org/archives/list/[email protected]...
https://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-inv...

受影响软件情况

1
#	类型	厂商	产品	版本	影响面
	运行在以下环境
	应用	linuxfoundation	containerd	*		Up to (excluding) 1.5.18
	运行在以下环境
	应用	linuxfoundation	containerd	*	From (including) 1.6.0	Up to (excluding) 1.6.18
	运行在以下环境
	系统	alpine_3.17	containerd	*		Up to (excluding) 1.6.18-r0
	运行在以下环境
	系统	alpine_3.18	containerd	*		Up to (excluding) 1.6.18-r0
	运行在以下环境
	系统	alpine_edge	containerd	*		Up to (excluding) 1.6.18-r0
	运行在以下环境
	系统	amazon_2	containerd	*		Up to (excluding) 1.6.19-1.amzn2.0.1
	运行在以下环境
	系统	amazon_2023	containerd	*		Up to (excluding) 1.6.19-1.amzn2023.0.1
	运行在以下环境
	系统	debian_11	containerd	*		Up to (excluding) 1.4.13~ds1-1~deb11u4
	运行在以下环境
	系统	debian_12	containerd	*		Up to (excluding) 1.6.18~ds1-1
	运行在以下环境
	系统	debian_sid	containerd	*		Up to (excluding) 1.6.18~ds1-1
	运行在以下环境
	系统	fedora_36	containerd-debuginfo	*		Up to (excluding) 1.6.19-1.fc36
	运行在以下环境
	系统	fedora_37	containerd-debuginfo	*		Up to (excluding) 24.0.5-1.fc37
	运行在以下环境
	系统	fedora_38	containerd-debugsource	*		Up to (excluding) 24.0.5-1.fc38
	运行在以下环境
	系统	fedora_39	moby-engine-zsh-completion	*		Up to (excluding) 24.0.5-1.fc39
	运行在以下环境
	系统	kylinos_aarch64_V10	containerd	*		Up to (excluding) 1.2.0-209.p01.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP1	containerd	*		Up to (excluding) 1.2.0-209.p01.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP2	containerd	*		Up to (excluding) 1.2.0-209.p01.ky10
	运行在以下环境
	系统	kylinos_aarch64_V10SP3	containerd	*		Up to (excluding) 1.2.0-209.p01.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP1	containerd	*		Up to (excluding) 1.2.0-209.p01.a.ky10
	运行在以下环境
	系统	kylinos_loongarch64_V10SP3	containerd	*		Up to (excluding) 1.2.0-209.p01.a.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10	containerd	*		Up to (excluding) 1.2.0-209.p01.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP1	containerd	*		Up to (excluding) 1.2.0-209.p01.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP2	containerd	*		Up to (excluding) 1.2.0-209.p01.ky10
	运行在以下环境
	系统	kylinos_x86_64_V10SP3	containerd	*		Up to (excluding) 1.2.0-209.p01.ky10
	运行在以下环境
	系统	opensuse_5.3	containerd	*		Up to (excluding) 1.6.19-150000.87.1
	运行在以下环境
	系统	opensuse_Leap_15.4	containerd	*		Up to (excluding) 1.6.19-150000.87.1
	运行在以下环境
	系统	ubuntu_20.04	containerd	*		Up to (excluding) 1.6.12-0ubuntu1~20.04.3
	运行在以下环境
	系统	ubuntu_22.04	containerd	*		Up to (excluding) 1.6.12-0ubuntu1~22.04.3
	运行在以下环境
	系统	ubuntu_22.10	containerd	*		Up to (excluding) 1.6.12-0ubuntu1~22.10.2
	运行在以下环境
	系统	unionos_e	containerd	*		Up to (excluding) containerd-1.2.0-209.uel20