'[oss-security] OpenVZ simfs container filesystem breakout'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] OpenVZ simfs container filesystem breakout
From:       Michał_Grzędzicki <lazy () iq ! pl>
Date:       2014-06-24 15:45:41
Message-ID: B48B5501-0DDF-4547-B946-E08B73F9282C () iq ! pl
[Download RAW message or body]

An attacker is able to access files outside of his container.

Function open_by_handle_at() enables process to access files on a mounted filesystem
using file_handle structure. This structure is using inode numbers to differentiate \
files. Calling this function requires CAP_DAC_READ_SEARCH capability and superuser \
inside a container by default has this capability.

This enables an attacker to bypass simfs restrictions and access all files on an \
underlying filesystem including other VE's residing on the same filesystem.

This is the same issue as the one affecting docker which was discovered recently by \
by Sebastian Krahmer. He wrote about it on this list \
http://www.openwall.com/lists/oss-security/2014/06/18/4 .

This vulnerability is identified by CVE-2014-3519 .

For further technical information please refer to Sebastian Krahmers post and POC
(http://stealth.openwall.net/xSports/shocker.c).

His POC code works with openvz with cosmetic modifications so we have to consider \
that public exploit is readily available.

Affected versions:
all RHEL6 based openvz kernels older then 042stab090.5 released today and using simfs \
(VE_LAYOUT=simfs).

Unaffected versions:
RHEL5 based openvz lack open_by_handle_at(2) function
RHEL6 based openvz using exclusivelly ploop or parallels commercial vzfs

Newest vzctl packages defaults to unaffected ploop layout. Parallels comercial vzfs \
is also unaffected.

Disabling CAP_DAC_READ_SEARCH inside the containers can be used as an mitigation \
technique if kernel upgrade is not possible.

# vzctl vied --save --capability DAC_READ_SEARCH:off --setmode restart
(It will immediately restart the VE)

I think it won't break any typical software running inside the CT but Your milage may \
vary.


References:
http://kb.parallels.com/en/122142
https://openvz.org/Download/kernel/rhel6/042stab090.5
http://www.openwall.com/lists/oss-security/2014/06/18/4

-- 
Michał Grzędzicki
e-mail: mg@iq.pl
IQ PL Sp. z o.o.


["signature.asc" (signature.asc)]

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQIcBAEBAgAGBQJTqZ0lAAoJEMJsSyB9dpyGKGQQAIYnIMTYPo70cvT3+9zgWAP7
5+xsaVo/kOcyf/NrDcyXImO3ZhapugOzwZSSm/6/J7UxLm8Tx6kGSwz4x4O8l7X7
PZPKxpOVvyyKCH+Vz/eyOgJc5qICZCowaleMF00bC2EhaW9VOfkZyrilGvWNmnG+
sSv1JSZYCOecTYoMJqYYR/CqOZZ7gctcU7V1HENJ22tng2YNRipK537pHb3/6vkE
rbAENEqazXD4PddJkLdApq7bKflyLWp9Oyg3NDUvDyu5qdh2g+zMR+UtRpLIljDr
EPGt5/xCFvvcV2naB+u4CUZbktMSIIWUKZ9ymFvjjTIH1A7r4AfnmeLETQVp0zNr
kIXZz3oI4Z26b49DVxKl7n9FTUu9X2/JsXQKsdLQFUmJgysV0ka64BEH0PvBYHX0
24CIRwdHsM/sFsEXzcQpGZGBQ37UCHgRV4Dzy0ul523wFnUqQyA8v5OVqyPmMAHh
OdNn6U5rmKLOFunaVTmJfxJ1hpYzanc5SqivSDDjccL1i1bwBcgzXsw7GrYzPEmC
ybF0yeQ4pFa3y/CWcsLZLhBPXlb618Ptz8eJHmjwZlcM/eFifb7PBMOEI5+bGGv8
3vR+GlQK1mdb4tK1KUT7zNTmxcpE4nqs/9/1J8zj/Cuw0BXzCqbqd7SjU5oMWNFP
TrYQOLmw19tCG9BmZPq1
=OEfF
-----END PGP SIGNATURE-----


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic