[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: [oss-security] OpenVZ simfs container filesystem breakout
From: Michał_Grzędzicki <lazy () iq ! pl>
Date: 2014-06-24 15:45:41
Message-ID: B48B5501-0DDF-4547-B946-E08B73F9282C () iq ! pl
[Download RAW message or body]
An attacker is able to access files outside of his container.
Function open_by_handle_at() enables process to access files on a mounted filesystem
using file_handle structure. This structure is using inode numbers to differentiate \
files. Calling this function requires CAP_DAC_READ_SEARCH capability and superuser \
inside a container by default has this capability.
This enables an attacker to bypass simfs restrictions and access all files on an \
underlying filesystem including other VE's residing on the same filesystem.
This is the same issue as the one affecting docker which was discovered recently by \
by Sebastian Krahmer. He wrote about it on this list \
http://www.openwall.com/lists/oss-security/2014/06/18/4 .
This vulnerability is identified by CVE-2014-3519 .
For further technical information please refer to Sebastian Krahmers post and POC
(http://stealth.openwall.net/xSports/shocker.c).
His POC code works with openvz with cosmetic modifications so we have to consider \
that public exploit is readily available.
Affected versions:
all RHEL6 based openvz kernels older then 042stab090.5 released today and using simfs \
(VE_LAYOUT=simfs).
Unaffected versions:
RHEL5 based openvz lack open_by_handle_at(2) function
RHEL6 based openvz using exclusivelly ploop or parallels commercial vzfs
Newest vzctl packages defaults to unaffected ploop layout. Parallels comercial vzfs \
is also unaffected.
Disabling CAP_DAC_READ_SEARCH inside the containers can be used as an mitigation \
technique if kernel upgrade is not possible.
# vzctl vied --save --capability DAC_READ_SEARCH:off --setmode restart
(It will immediately restart the VE)
I think it won't break any typical software running inside the CT but Your milage may \
vary.
References:
http://kb.parallels.com/en/122142
https://openvz.org/Download/kernel/rhel6/042stab090.5
http://www.openwall.com/lists/oss-security/2014/06/18/4
--
Michał Grzędzicki
e-mail: mg@iq.pl
IQ PL Sp. z o.o.
["signature.asc" (signature.asc)]
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIcBAEBAgAGBQJTqZ0lAAoJEMJsSyB9dpyGKGQQAIYnIMTYPo70cvT3+9zgWAP7
5+xsaVo/kOcyf/NrDcyXImO3ZhapugOzwZSSm/6/J7UxLm8Tx6kGSwz4x4O8l7X7
PZPKxpOVvyyKCH+Vz/eyOgJc5qICZCowaleMF00bC2EhaW9VOfkZyrilGvWNmnG+
sSv1JSZYCOecTYoMJqYYR/CqOZZ7gctcU7V1HENJ22tng2YNRipK537pHb3/6vkE
rbAENEqazXD4PddJkLdApq7bKflyLWp9Oyg3NDUvDyu5qdh2g+zMR+UtRpLIljDr
EPGt5/xCFvvcV2naB+u4CUZbktMSIIWUKZ9ymFvjjTIH1A7r4AfnmeLETQVp0zNr
kIXZz3oI4Z26b49DVxKl7n9FTUu9X2/JsXQKsdLQFUmJgysV0ka64BEH0PvBYHX0
24CIRwdHsM/sFsEXzcQpGZGBQ37UCHgRV4Dzy0ul523wFnUqQyA8v5OVqyPmMAHh
OdNn6U5rmKLOFunaVTmJfxJ1hpYzanc5SqivSDDjccL1i1bwBcgzXsw7GrYzPEmC
ybF0yeQ4pFa3y/CWcsLZLhBPXlb618Ptz8eJHmjwZlcM/eFifb7PBMOEI5+bGGv8
3vR+GlQK1mdb4tK1KUT7zNTmxcpE4nqs/9/1J8zj/Cuw0BXzCqbqd7SjU5oMWNFP
TrYQOLmw19tCG9BmZPq1
=OEfF
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic