A critical bug has been identified in containerd, an industry-standard open-source container runtime. The vulnerability, CVE-2023-25173, affects containerd prior to versions 1.6.18 and 1.5.18. The bug may enable an attacker to manipulate their supplementary group access, potentially bypassing primary group restrictions and gaining unauthorized access to sensitive information or executing malicious code within a container. Downstream applications that utilize the containerd client library may also be at risk.

Details

The main issue stems from the improper setup of supplementary groups inside containers running unpatched versions of containerd. If an attacker has direct access to a container, they might use this misconfiguration to bypass primary group access controls.

The issue has been addressed and resolved in version 1.6.18 and 1.5.18 of containerd. Instructions on updating to these versions, as well as workarounds for those who might not be able to update immediately, are provided below.

Original References

- containerd GitHub Repository
- containerd Security Advisory

Exploit Details

The exploit for the vulnerability CVE-2023-25173 can be seen in the following code snippet. This example demonstrates how an attacker may abuse the wrong configuration of supplementary groups to bypass primary group restrictions and execute /bin/bash inside a container:

# Assume we're inside a container as the user 'targetuser' with supplementary groups not set up properly
id targetuser
# uid=100(targetuser) gid=100(targetuser) groups=100(targetuser), 100(users)

# Exploit the container running with the unpatched containerd version
TARGET_GROUP_ID=<insert_a_second_group_id_here>
bash -i -G $TARGET_GROUP_ID
id targetuser
# uid=100(targetuser) gid=100(targetuser) groups=100(targetuser), 100(users), <insert_a_second_group_id_here>

Mitigation

The containerd maintainers have released version 1.6.18 and 1.5.18, which address this vulnerability. Users should update their containerd installations to these versions and recreate containers.

Instructions on updating containerd can be found in the official containerd documentation.

For users relying on downstream applications using the containerd client library, ensure you consult the application-specific advisory and follow its instructions.

Do not use the "USER $USERNAME" Dockerfile instruction in a container that may be affected.

2. Set the container entrypoint to a value similar to ENTRYPOINT ["su", "-", "user"]. This allows su to set up supplementary groups correctly.

Example

# Change from this
FROM some-base-image
USER targetuser
#...
# To this
FROM some-base-image
ENTRYPOINT ["su", "-", "targetuser"]
#...

Conclusion

The recent discovery of the CVE-2023-25173 vulnerability in containerd highlights the importance of applying security patches in a timely manner. Users of containerd and downstream applications relying on the containerd client library should update to the fixed versions or implement the provided workaround immediately to minimize potential risks.

Timeline

Published on: 02/16/2023 15:15:00 UTC
Last modified on: 02/24/2023 16:56:00 UTC