Skip to content

Latest commit

 

History

History
69 lines (49 loc) · 2.49 KB

KCSA-CVE-2020-2023.md

File metadata and controls

69 lines (49 loc) · 2.49 KB

announcement-date: 2020-06-12

id: KCSA-CVE-2020-2023

title: Kata Containers Execution with Unnecessary Privileges

description: A container can access the guest root file system device. This can be used to gain code execution on the guest and masquerade as kata-agent.

affected-components:

  • components: kata-agent version: Before v1.11.1

vulnerabilities:

  • CVE-ID: CVE-2020-2023

reporters:

  • name: Yuval Avrahami affiliation: Palo Alto Networks reported:
    • CVE-2020-2023

issues:

links: - kata-containers/agent#791 - kata-containers/runtime#2476 - kata-containers/runtime#2488

reviews:

v1.11.1: - kata-containers/agent#792 - kata-containers/runtime#2477 - kata-containers/runtime#2487

type: GitHub

reproduce:

  • A malicious container can create a device file for the guest root filesystem device, and use it to modify the guest filesystem through utilities like debugfs, potentially allowing a container-to-guest breakout:

    1. Find the guest root filesystem device major and minor numbers by inspecting /sys/dev/block.
    2. Usemknod to create a device file for the guest root filesystem device.
    3. Use utilities such as debugfs to access the device file and modify the guest filesystem.
    4. Attempt to gain code execution on the guest by overwriting crucial guest files (e.g. kata-agent, libc)

    When the guest filesystem is mounted with DAX, it's easier for the container to gain guest code execution. With DAX, changes made to the device immediately propagate to the pages used by guest processes. This means the container can inject code to guest processes by modifying the executables and libraries used by them.

    Without DAX, the malicious container can force changes made to the device to propagate to guest pages by exhausting memory, forcing the guest kernel to re-read the pages from the compromised device. The attack may fail if the container memory is limited by cgroups.

notes:

  • The vulnerability can be used to compromise the guest and masquerade as the kata-agent. To exploit the issue, the container must possess CAP_MKNOD capability. All users are recommended to upgrade to mitigate guest breakout.