Lucene search

K
ubuntucveUbuntu.comUB:CVE-2020-15257
HistoryNov 30, 2020 - 12:00 a.m.

CVE-2020-15257

2020-11-3000:00:00
ubuntu.com
ubuntu.com
6

5.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:P/A:N

0.0004 Low

EPSS

Percentile

13.1%

containerd is an industry-standard container runtime and is available as a
daemon for Linux and Windows. In containerd before versions 1.3.9 and
1.4.3, the containerd-shim API is improperly exposed to host network
containers. Access controls for the shim’s API socket verified that the
connecting process had an effective UID of 0, but did not otherwise
restrict access to the abstract Unix domain socket. This would allow
malicious containers running in the same network namespace as the shim,
with an effective UID of 0 but otherwise reduced privileges, to cause new
processes to be run with elevated privileges. This vulnerability has been
fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions
as soon as they are released. It should be noted that containers started
with an old version of containerd-shim should be stopped and restarted, as
running containers will continue to be vulnerable even after an upgrade. If
you are not providing the ability for untrusted users to start containers
in the same network namespace as the shim (typically the “host” network
namespace, for example with docker run --net=host or hostNetwork: true in a
Kubernetes pod) and run with an effective UID of 0, you are not vulnerable
to this issue. If you are running containers with a vulnerable
configuration, you can deny access to all abstract sockets with AppArmor by
adding a line similar to deny unix addr=@**, to your policy. It is best
practice to run containers with a reduced set of privileges, with a
non-zero UID, and with isolated namespaces. The containerd maintainers
strongly advise against sharing namespaces with the host. Reducing the set
of isolation mechanisms used for a container necessarily increases that
container’s privilege, regardless of what container runtime is used for
running that container.

Notes

Author Note
seth-arnold Containers started with an old version of containerd-shim should be stopped and restarted. Patches are in Message-ID: <[email protected]
mdeslaur Updates released in USN-4653-1 were pulled from the archive due to docker.io being stopped because of packaging issues. Reverting this CVE to “needed” until new updates are released. The cause of the regression is being investigated, and new updates to correct this CVE will be issued shortly.
OSVersionArchitecturePackageVersionFilename
ubuntu18.04noarchcontainerd< 1.3.3-0ubuntu1~18.04.4UNKNOWN
ubuntu16.04noarchcontainerd< 1.2.6-0ubuntu1~16.04.6UNKNOWN
ubuntu20.04noarchcontainerd< 1.3.3-0ubuntu2.2UNKNOWN
ubuntu20.10noarchcontainerd< 1.3.7-0ubuntu3.2UNKNOWN

5.2 Medium

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

3.6 Low

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:L/AC:L/Au:N/C:P/I:P/A:N

0.0004 Low

EPSS

Percentile

13.1%