The Debian 11 host is affected by vulnerabilities in Moby (Docker Engine) and containerd, which can lead to privilege escalation and denial of service attacks
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5162. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(162143);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2022/06/13");
script_cve_id("CVE-2022-24769", "CVE-2022-31030");
script_name(english:"Debian DSA-5162-1 : containerd - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5162 advisory.
- Moby is an open-source project created by Docker to enable and accelerate software containerization. A bug
was found in Moby (Docker Engine) prior to version 20.10.14 where containers were incorrectly started with
non-empty inheritable Linux process capabilities, creating an atypical Linux environment and enabling
programs with inheritable file capabilities to elevate those capabilities to the permitted set during
`execve(2)`. Normally, when executable programs have specified permitted file capabilities, otherwise
unprivileged users and processes can execute those programs and gain the specified file capabilities up to
the bounding set. Due to this bug, containers which included executable programs with inheritable file
capabilities allowed otherwise unprivileged users and processes to additionally gain these inheritable
file capabilities up to the container's bounding set. Containers which use Linux users and groups to
perform privilege separation inside the container are most directly impacted. This bug did not affect the
container security sandbox as the inheritable set never contained more capabilities than were included in
the container's bounding set. This bug has been fixed in Moby (Docker Engine) 20.10.14. Running containers
should be stopped, deleted, and recreated for the inheritable capabilities to be reset. This fix changes
Moby (Docker Engine) behavior such that containers are started with a more typical Linux environment. As a
workaround, the entry point of a container can be modified to use a utility like `capsh(1)` to drop
inheritable capabilities prior to the primary process starting. (CVE-2022-24769)
- containerd is an open source container runtime. A bug was found in the containerd's CRI implementation
where programs inside a container can cause the containerd daemon to consume memory without bound during
invocation of the `ExecSync` API. This can cause containerd to consume all available memory on the
computer, denying service to other legitimate workloads. Kubernetes and crictl can both be configured to
use containerd's CRI implementation; `ExecSync` may be used when running probes or when executing
processes via an exec facility. This bug has been fixed in containerd 1.6.6 and 1.5.13. Users should
update to these versions to resolve the issue. Users unable to upgrade should ensure that only trusted
images and commands are used. (CVE-2022-31030)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/containerd");
script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2022/dsa-5162");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-24769");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-31030");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/containerd");
script_set_attribute(attribute:"solution", value:
"Upgrade the containerd packages.
For the stable distribution (bullseye), these problems have been fixed in version 1.4.13~ds1-1~deb11u2.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-24769");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2022/03/24");
script_set_attribute(attribute:"patch_publication_date", value:"2022/06/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/06/13");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:containerd");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-github-containerd-containerd-dev");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2022 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var release = get_kb_item('Host/Debian/release');
if ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');
var release = chomp(release);
if (! preg(pattern:"^(11)\.[0-9]+", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '11.0', 'prefix': 'containerd', 'reference': '1.4.13~ds1-1~deb11u2'},
{'release': '11.0', 'prefix': 'golang-github-containerd-containerd-dev', 'reference': '1.4.13~ds1-1~deb11u2'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (release && prefix && reference) {
if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'containerd / golang-github-containerd-containerd-dev');
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo