CVE-2020-27352: Understanding the Vulnerability in Generating Systemd Service Units for Docker Snap and Its Exploitation

Recently, a vulnerability in the snapd systems, CVE-2020-27352, has been discovered. This vulnerability arises when generating systemd service units for the Docker snap and similar snaps, where the Delegate=yes option is not specified. As a result, systemd may move processes from containers created and managed by these snaps into the cgroup of the main daemon within the snap itself when reloading system units. This could provide additional privileges to a container within the snap that were not originally intended, potentially leading to security issues. In this post, we will be discussing this vulnerability in detail, along with its exploit and original references.

Code Snippet

The following is an example of a systemd service unit without Delegate=yes – the root of this vulnerability:

[Unit]
Description=Docker Application Container Engine
Documentation=https://docs.docker.com
After=network-online.target docker.socket firewalld.service
Wants=network-online.target
Requires=docker.socket

[Service]
Type=notify
ExecStart=/usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
ExecReload=/bin/kill -s HUP $MAINPID
TimeoutSec=
RestartSec=2
Restart=always

[Install]
WantedBy=multi-user.target

To fix this issue, the Delegate=yes option should be added to the [Service] section

[Service]
Delegate=yes
...

The details of this vulnerability, CVE-2020-27352, can be found in the following links

1. CVE-2020-27352 – The official entry in the CVE List, which provides a summary of the vulnerability.
2. Launchpad Bug Tracker – The bug report submitted to the Launchpad bug tracking system with detailed information on the issue.
3. Docker documentation – The official documentation for Docker, where you can find more information about Docker snaps and systemd service units.

Exploit Details

Although there does not seem to be a publicly available exploit for CVE-2020-27352 at this time, the vulnerability may potentially allow an attacker to gain additional privileges and execute arbitrary code within a container inside the affected snap. As a result, systems using Docker snap or similar snaps without specifying Delegate=yes in the systemd service units could be at risk of unauthorized access or code execution.

One possible attack scenario could involve an attacker with access to a container within a vulnerable snap. The attacker could exploit the absence of Delegate=yes by causing systemd to reload the system units, moving the attacker's container processes to the main daemon's cgroup. This could potentially grant the attacker additional privileges, allowing them to execute arbitrary code with the higher-level permissions of the main daemon.

Conclusion

The vulnerability CVE-2020-27352 is an important reminder of the importance of security and proper configuration in the context of container management platforms like Docker. While no real-world exploits have been discovered at this time, it is essential for administrators and developers to be aware of this vulnerability and implement the appropriate mitigations. Ensuring Delegate=yes is specified in systemd service units for snaps can help prevent this issue and protect your systems from potential security risks.

Timeline

Published on: 06/21/2024 20:15:10 UTC
Last modified on: 07/09/2024 20:56:52 UTC