FS#46574 - [lxc][CVE-2015-1335] Container Escape

Attached to Project: Community Packages
Opened by Christian Rebischke (Shibumi) - Monday, 05 October 2015, 22:51 GMT
Last edited by Doug Newgard (Scimmia) - Wednesday, 07 October 2015, 14:59 GMT
Task Type Bug Report
Category Upstream Bugs
Status Closed
Assigned To Sergej Pupykin (sergej)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

Description
===========

lxc-start in lxc before 1.0.8 and 1.1.x before 1.1.4 allows local container administrators to escape AppArmor confinement via a symlink attack on a mount target or bind mount source. [1]

Workaround
==========

1. do not allow mounts to paths containing symbolic links

2. do not allow bind mounts from relative paths containing symbolic
links. [2]

References
==========

[1] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1335
[2] https://github.com/lxc/lxc/commit/6de26af93d3dd87c8b21a42fdf20f30fa1c1948d

greetings

Christian Rebischke (Archlinux CVE Monitoring Team)
This task depends upon

Closed by  Doug Newgard (Scimmia)
Wednesday, 07 October 2015, 14:59 GMT
Reason for closing:  None
Comment by Christian Rebischke (Shibumi) - Wednesday, 07 October 2015, 14:59 GMT
Just a fast comment to this issue. This CVE is not fixed because archlinux doesn't support AppArmor nor Selinux. I've talked with Stephane (one of the lxc developers about this issue). He has said the following:

Well, without apparmor or SELinux, privileged containers are completely unsafe so while the CVE doesn't apply to that case (because there's no race to be had), your container is completely unsafe by design.


So my question is now what we do know? I think we should set this message as comment to this 'bug' and then mark it as closed but without the term 'fixed'.

Loading...