EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2024-2024)

2024-07-2200:00:00

www.tenable.com

moby

cache poisoning

dockerfile

buildkit

build api

cve-2024-24557

CVSS3

8.6

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

AI Score

8.7

Confidence

High

JSON

According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

Moby is an open-source project created by Docker to enable software containerization. The classic builder     cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some     instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with     the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially     crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are     only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are     using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API     endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the     uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.(CVE-2024-24557)

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In     runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned     container process (from runc exec) to have a working directory in the host filesystem namespace, allowing     for a container escape by giving access to the host filesystem ('attack 2'). The same attack could be used     by a malicious image to allow a container process to gain access to the host filesystem through runc run     ('attack 1'). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries,     allowing for complete container escapes ('attack 3a' and 'attack 3b'). runc 1.1.12 includes patches for     this issue.(CVE-2024-21626)

Tenable has extracted the preceding description block directly from the EulerOS docker-engine security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(202968);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/24");

  script_cve_id("CVE-2024-21626", "CVE-2024-24557");

  script_name(english:"EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2024-2024)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is
affected by the following vulnerabilities :

    Moby is an open-source project created by Docker to enable software containerization. The classic builder
    cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some
    instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with
    the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially
    crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are
    only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are
    using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API
    endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the
    uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.(CVE-2024-24557)

    runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In
    runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned
    container process (from runc exec) to have a working directory in the host filesystem namespace, allowing
    for a container escape by giving access to the host filesystem ('attack 2'). The same attack could be used
    by a malicious image to allow a container process to gain access to the host filesystem through runc run
    ('attack 1'). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries,
    allowing for complete container escapes ('attack 3a' and 'attack 3b'). runc 1.1.12 includes patches for
    this issue.(CVE-2024-21626)

Tenable has extracted the preceding description block directly from the EulerOS docker-engine security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-2024
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8a462c4d");
  script_set_attribute(attribute:"solution", value:
"Update the affected docker-engine packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-24557");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-21626");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'runc (docker) File Descriptor Leak Privilege Escalation');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/01");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/07/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/22");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:docker-engine");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:docker-engine-selinux");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);

var flag = 0;

var pkgs = [
  "docker-engine-18.09.0.101-1.h71.28.24.eulerosv2r8",
  "docker-engine-selinux-18.09.0.101-1.h71.28.24.eulerosv2r8"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "docker-engine");
}