[Podman] Re: [Vulnerability Report] ctr-cnt: Host containers count info leak

I don't think this is a vuln. Containers have been leaking loadavg, memory usage, disk usage, and other resource counters too. 2024年1月25日(木) 18:09 'wanglei (M)' via OCI Security < security(a)opencontainers.org&gt;: > Dear Container Security Teams: > > I hope this message finds you well. My name is LEI WANG, a container > security newb. I am writing to report a security vulnerability about host > containers count info leakage. > ------------------------------ > 1. Information > > *Item* > > *Details* > > *Note* > > Project > > docker <https://github.com/moby/moby> > > containerd <https://https/github.com/containerd/containerd> > > podman <https://github.com/containers/podman> > > > > crio > > > > runc <https://github.com/opencontainers/runc> > > Due to the widespread impact, we have also copied runc > > … > > If other container software is affected, please forward the email. > > Affect Version > > all > > CVSS > > 4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N > > Author > > LEI WANG > > Github-ID: ssst0n3 <http://github.com/ssst0n3> > 2. Original Features > > Container runtimes manage the file system using graph drivers such as > overlay and devicemapper, which are loaded as modules into the kernel. > > The container runtime shares the host’s sysfs, where > /sys/module/<MODULE_NAME>/refcnt represents the reference count of the > corresponding module. The reference count of these modules typically > matches the number of mounted file systems on the host, thereby leaking the > number of running containers on the host. > 3. Vulnerability > 3.1 Description > > Files such as /sys/module/overlay/refcnt reveal the number of containers > running on the host because the sysfs of the host is shared when the > container is running. > 3.2 Impact > > All versions of the all runtime are affected > > - docker > - containerd > - cri-o > - podman > - … > > Given the breadth of the impact on the runtime, it may be necessary to > copy runc. > > Disclosure of the number of containers running on a host can provide > several potential advantages to an attacker: > > 1. *Target value assessment*: If an attacker knows that a system is > running a large number of containers, the system may host multiple services > or applications, indicating that the target is a high-value target. > > 2. *Resource utilization and load information*: The number of > containers can give attackers some clues about system resource utilization > and load. For example, a host running a large number of containers may have > high resource usage, which may allow attackers to use this information to > launch denial-of-service (DoS) or distributed denial-of-service (DDoS) > attacks. > > 3. *Attack vector identification*: Knowing the number of containers > may also help attackers infer potential attack vectors. For example, if > many containers are running, attackers may assume that some of these > containers may not have proper security configuration or timely software > updates. > > 4. *Penetration policy planning*: Attackers may plan multi-phase > attacks or select the most likely unhardened container intrusion based on > the number of containers and their speculation about the system > architecture. > 3.3 CVSS > > 4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N > <https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:... > > *vector* > > *score* > > *reason* > > Attack Vector > > Local > > Attack Complexity > > Low > > Privileges Required > > None > > User Interaction > > None > > Scope > > Changed > > Confidentiality > > Low > > Integrity > > None > > Availability > > None > 4. PoC > > $ docker ps |wc -l > > 7 > > $ docker run -ti ubuntu cat /sys/module/overlay/refcnt > > 7 > > $ docker run -tid ubuntu bash > > 78f902370c4bc18b787b95bca5079c052b8b7acd3e43cb7ccff01d8c4c740094 > > $ docker run -ti ubuntu cat /sys/module/overlay/refcnt > > 8 > > 5. Fixing Suggestion > > Add refcnt to maskedpath by referring to the method of setting maskedpath > in Docker. > > https://github.com/moby/moby/blob/25.0/oci/defaults.go#L105-L116 > > MaskedPaths: []string{ > > "/proc/asound", > > "/proc/acpi", > > "/proc/kcore", > > "/proc/keys", > > "/proc/latency_stats", > > "/proc/timer_list", > > "/proc/timer_stats", > > "/proc/sched_debug", > > "/proc/scsi", > > "/sys/firmware", > > "/sys/devices/virtual/powercap", > > }, > > 6. Others > > Should this issue be confirmed as a vulnerability, I kindly request > assistance in obtaining a CVE-ID. I would appreciate it if the credit for > this discovery could be assigned to my GitHub ID: ssst0n3. If you require > any further assistance, please feel free to contact me at your convenience. > ------------------------------ > > Thank you for your time and attention to this matter. We look forward to > your response and guidance on the next steps. > > Best regards, > > LEI WANG > > > > -- > To unsubscribe from this group and stop receiving emails from it, send an > email to security+unsubscribe(a)opencontainers.org. > -- To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe(a)opencontainers.org.