Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jbTl4LWMzcmgtN3JjNM4AAwpl
CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation
Impact
It is possible to craft an environment variable with newlines to add entries to a container's /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry.
Note: because the pod author is in control of the container's /etc/passwd, this is not considered a new risk factor. However, this advisory is being opened for transparency and as a way of tracking fixes.
Patches
1.26.0 will have the fix. More patches will be posted as they're available.
Workarounds
Additional security controls like SELinux should prevent any damage a container is able to do with root on the host. Using SELinux is recommended because this class of attack is already possible by manually editing the container's /etc/passwd
References
Permalink: https://github.com/advisories/GHSA-cm9x-c3rh-7rc4JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jbTl4LWMzcmgtN3JjNM4AAwpl
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 5 months ago
Updated: 5 months ago
CVSS Score: 6.1
CVSS vector: CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N
Identifiers: GHSA-cm9x-c3rh-7rc4, CVE-2022-4318
References:
- https://github.com/cri-o/cri-o/security/advisories/GHSA-cm9x-c3rh-7rc4
- https://github.com/cri-o/cri-o/pull/6450
- https://github.com/advisories/GHSA-cm9x-c3rh-7rc4
Affected Packages
go:github.com/cri-o/cri-o
Versions: < 1.26.0Fixed in: 1.26.0