CVE-2023-25173

Published on: Not Yet Published

Last Modified on: 02/24/2023 04:56:00 PM UTC

CVE-2023-25173 - advisory for GHSA-hmfx-3pcx-653p

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Certain versions of Containerd from Linuxfoundation contain the following vulnerability:

containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 where supplementary groups are not set up properly inside a container. If an attacker has direct access to a container and manipulates their supplementary group access, they may be able to use supplementary group access to bypass primary group restrictions in some cases, potentially gaining access to sensitive information or gaining the ability to execute code in that container. Downstream applications that use the containerd client library may be affected as well. This bug has been fixed in containerd v1.6.18 and v.1.5.18. Users should update to these versions and recreate containers to resolve this issue. Users who rely on a downstream application that uses containerd's client library should check that application for a separate advisory and instructions. As a workaround, ensure that the `"USER $USERNAME"` Dockerfile instruction is not used. Instead, set the container entrypoint to a value similar to `ENTRYPOINT ["su", "-", "user"]` to allow `su` to properly set up supplementary groups.

CVE-2023-25173 has been assigned by [email protected] to track the vulnerability - currently rated as HIGH severity.
Affected Vendor/Software: containerd - containerd version = < 1.5.18
Affected Vendor/Software: containerd - containerd version = >= 1.6.0, < 1.6.18

CVSS3 Score: 7.8 - HIGH

Attack Vector ^ⓘ	Attack Complexity	Privileges Required	User Interaction
LOCAL	LOW	LOW	NONE
Scope	Confidentiality Impact	Integrity Impact	Availability Impact
UNCHANGED	HIGH	HIGH	HIGH

CVE References

Description	Tags ^ⓘ	Link
Buildah's incorrect handling of the supplementary groups may lead to data disclosure, modification · CVE-2022-2990 · GitHub Advisory Database · GitHub	github.com text/html	MISC github.com/advisories/GHSA-fjm8-m7m6-2fjp
Merge pull request from GHSA-hmfx-3pcx-653p · containerd/[email protected] · GitHub	github.com text/html	MISC github.com/containerd/containerd/commit/133f6bb6cd827ce35a5fb279c1ead12b9d21460a
Release containerd 1.6.18 · containerd/containerd · GitHub	github.com text/html	MISC github.com/containerd/containerd/releases/tag/v1.6.18
Vulnerability in Linux containers – investigation and mitigation – Bentham’s Gaze	www.benthamsgaze.org text/html	MISC www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/
Supplementary groups are not set up properly · Advisory · containerd/containerd · GitHub	github.com text/html	MISC github.com/containerd/containerd/security/advisories/GHSA-hmfx-3pcx-653p
CRI-O incorrect handling of supplementary groups may lead to sensitive information disclosure · CVE-2022-2995 · GitHub Advisory Database · GitHub	github.com text/html	MISC github.com/advisories/GHSA-phjr-8j92-w5v7
Podman's incorrect handling of the supplementary groups may lead to data disclosure, modification · CVE-2022-2989 · GitHub Advisory Database · GitHub	github.com text/html	MISC github.com/advisories/GHSA-4wjj-jwc9-2x96
Release containerd 1.5.18 · containerd/containerd · GitHub	github.com text/html	MISC github.com/containerd/containerd/releases/tag/v1.5.18
Security vulnerability relating to supplementary group permissions · Advisory · moby/moby · GitHub	github.com text/html	MISC github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4

By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].

Related QID Numbers

283789 Fedora Security Update for stargz (FEDORA-2023-ee472c698c)
283793 Fedora Security Update for containerd (FEDORA-2023-aadd08ab96)
283794 Fedora Security Update for containerd (FEDORA-2023-05b39bc048)
905553 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13591)
905559 Common Base Linux Mariner (CBL-Mariner) Security Update for k3s (13570)
905612 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13673)
906541 Common Base Linux Mariner (CBL-Mariner) Security Update for moby-containerd (13591-1)

Exploit/POC from Github

containerd is an open source container runtime. A bug was found in containerd prior to versions 1.6.18 and 1.5.18 whe…

Known Affected Configurations (CPE V2.3)

Type	Vendor	Product	Version	Update	Edition	Language
Application	Linuxfoundation	Containerd	All	All	All	All

cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*:

No vendor comments have been submitted for this CVE

Social Mentions

Source	Title	Posted (UTC)
@everpeace	CVE-2023-25173はcontainerdだけじゃなくて、Docker/Moby/CRI-O/Podman/Buildahにも同様のCVEが発行されています。containerのグループ権限周りの脆弱性で興味深かった。影響… twitter.com/i/web/status/1…	2023-02-16 06:01:08
@CVEreport	CVE-2023-25173 : containerd is an open source container runtime. A bug was found in containerd prior to versions 1.… twitter.com/i/web/status/1…	2023-02-16 15:07:20
/r/netcve	CVE-2023-25173	2023-02-16 15:38:40