On Thu, Jan 25, 2024 at 1:29 PM Akihiro Suda <suda.kyoto@gmail.com> wrote:

I don't think this is a vuln.
Containers have been leaking loadavg, memory usage, disk usage, and other resource counters too.
2024年1月25日(木) 18:09 'wanglei (M)' via OCI Security <security@opencontainers.org>:
Dear Container Security Teams:

I hope this message finds you well. My name is LEI WANG, a container security newb. I am writing to report a security vulnerability about host containers count info leakage.

1. Information

Item

Details

Note

Project

docker

containerd

podman

crio

runc

Due to the widespread impact, we have also copied runc

…

If other container software is affected, please forward the email.

Affect Version

all

CVSS

4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

Author

LEI WANG

Github-ID: ssst0n3

2. Original Features

Container runtimes manage the file system using graph drivers such as overlay and devicemapper, which are loaded as modules into the kernel.

The container runtime shares the host’s sysfs, where /sys/module/<MODULE_NAME>/refcnt represents the reference count of the corresponding module. The reference count of these modules typically matches the number of mounted file systems on the host, thereby leaking the number of running containers on the host.

3. Vulnerability

3.1 Description

Files such as /sys/module/overlay/refcnt reveal the number of containers running on the host because the sysfs of the host is shared when the container is running.

3.2 Impact

All versions of the all runtime are affected

docker
containerd
cri-o
podman
…

Given the breadth of the impact on the runtime, it may be necessary to copy runc.

Disclosure of the number of containers running on a host can provide several potential advantages to an attacker:

1.    Target value assessment: If an attacker knows that a system is running a large number of containers, the system may host multiple services or applications, indicating that the target is a high-value target.

2.    Resource utilization and load information: The number of containers can give attackers some clues about system resource utilization and load. For example, a host running a large number of containers may have high resource usage, which may allow attackers to use this information to launch denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks.

3.    Attack vector identification: Knowing the number of containers may also help attackers infer potential attack vectors. For example, if many containers are running, attackers may assume that some of these containers may not have proper security configuration or timely software updates.

4.    Penetration policy planning: Attackers may plan multi-phase attacks or select the most likely unhardened container intrusion based on the number of containers and their speculation about the system architecture.

3.3 CVSS

4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

vector

score

reason

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

None

Availability

None

4. PoC
$ docker ps |wc -l
7
$ docker run -ti ubuntu cat /sys/module/overlay/refcnt
7
$ docker run -tid ubuntu bash                         
78f902370c4bc18b787b95bca5079c052b8b7acd3e43cb7ccff01d8c4c740094
$ docker run -ti ubuntu cat /sys/module/overlay/refcnt
8
5. Fixing Suggestion

Add refcnt to maskedpath by referring to the method of setting maskedpath in Docker.

https://github.com/moby/moby/blob/25.0/oci/defaults.go#L105-L116
MaskedPaths: []string{
    "/proc/asound",
    "/proc/acpi",
    "/proc/kcore",
    "/proc/keys",
    "/proc/latency_stats",
    "/proc/timer_list",
    "/proc/timer_stats",
    "/proc/sched_debug",
    "/proc/scsi",
    "/sys/firmware",
    "/sys/devices/virtual/powercap",
},
6. Others

Should this issue be confirmed as a vulnerability, I kindly request assistance in obtaining a CVE-ID. I would appreciate it if the credit for this discovery could be assigned to my GitHub ID: ssst0n3. If you require any further assistance, please feel free to contact me at your convenience.

Thank you for your time and attention to this matter. We look forward to your response and guidance on the next steps.

Best regards,

LEI WANG
--
To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe@opencontainers.org.
--
To unsubscribe from this group and stop receiving emails from it, send an email to security+unsubscribe@opencontainers.org.

Item	Details	Note
Project	docker
	containerd
	podman
	crio
	runc	Due to the widespread impact, we have also copied runc
	…	If other container software is affected, please forward the email.
Affect Version	all
CVSS	4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Author	LEI WANG	Github-ID: ssst0n3

vector	score	reason
Attack Vector	Local
Attack Complexity	Low
Privileges Required	None
User Interaction	None
Scope	Changed
Confidentiality	Low
Integrity	None
Availability	None