CVE-2020–15257 What is it and how does it impact your Docker and Kubernetes environments?
A new vulnerability named CVE-2020–15257 has been discovered in the networking namespace. Our blog covers the details.
A Technical Advisory was published by NCC Group regarding the discovery of a vulnerability that allows a container with access to the host network namespace to interact with the API of the container runtime via Unix domain sockets. This access can then be further exploited to interact with the host system (container escape to host). This issue has been assigned CVE-2020–15257
Background
containerd is the container runtime that Docker Engine uses for all container related activity, managing the file, network and IO namespaces amongst other things. containerd-shim is a binary that is started by containerd when a container is started using the docker command. You can quickly see that containerd-shim is invoked by starting a container and inspecting the processes on the host, as shown below
docker ps # make sure no containers are running
ps fauxx | grep containerd
docker run -d --name vuln-container ubuntu sleep infinity
ps fauxx | grep containerdcontainerd-shim is responsible for the actual execution of the container lifecycle that it exposes to containerd via an API. This is why the binary is named as containerd-shim. A shim in computing, in the simplest manner, allows for transparent communication by rewriting requests and parameters so that it is understood by whatever program it is a shim of. The containerd-shim API is exposed via an abstract Unix domain socket that is accessible on the host machines network namespace. A process that is able to reach and interact with the abstract Unix domain socket would be able to invoke functions that the API supports.
Abstract Unix domain sockets are Linux specific sockets that do not have a file mapping on the filesystem but are tied to the network namespace of a process. The naming convention of an abstract Unix domain socket calls for it to start with a NUL character (\0).
Running a container with host network privileges (--net host on Docker or .spec.hostNetwork: true on Kubernetes) allows for the container to access the root namespace completely when the container is running as UID 0 (user within container is root and docker command was not started with --user option). For example, a process started within a container that is running with host network privileges will be able to use the host network capabilities including things like listening for connections on the host network interface. The ability to access the containerd-shim APIs via the host network exposed abstract Unix domain sockets can lead to all sorts of security problems including the ability to read and write to the host file system, execute commands on the host as root and spin up other containers as required.
The CVE was fixed in containerd v1.4.3/v1.3.9, by switching away from abstract sockets into plain old file-based UNIX sockets under /run/containerd. To see the version of containerd on your system, run docker version
To see how an attacker could potentially exploit this vulnerability and what defenders need to know to make sure they are safe, read the rest of the post here
