On Thu, Jan 25, 2024 at 7:30 PM wanglei (M) <wanglei249(a)huawei.com> wrote:
Dear Akihiro Suda, Mrunal Patel:
Thank you for your reply and I respect your opinion.
For Docker, Containerd, Podman, and other runtimes, shall we add refcnt to
maskedpath when setting spec?
*From:* Mrunal Patel [mailto:mpatel@redhat.com]
*Send:* 2024年1月26日 5:38
*To:* Akihiro Suda <suda.kyoto(a)gmail.com>
*CC:* wanglei (M) <wanglei249(a)huawei.com>; Security@Docker <
security(a)docker.com>; security(a)containerd.io; podman(a)lists.podman.io;
cncf-crio-security(a)lists.cncf.io; security(a)opencontainers.org; Heyuandong
<heyuandong(a)huawei.com>
*Subject:* Re: [Vulnerability Report] ctr-cnt: Host containers count info
leak
I agree that this isn't a vulnerability.
On Thu, Jan 25, 2024 at 1:29 PM Akihiro Suda <suda.kyoto(a)gmail.com> wrote:
I don't think this is a vuln.
Containers have been leaking loadavg, memory usage, disk usage, and other
resource counters too.
2024年1月25日(木) 18:09 'wanglei (M)' via OCI Security <
security(a)opencontainers.org>:
Dear Container Security Teams:
I hope this message finds you well. My name is LEI WANG, a container
security newb. I am writing to report a security vulnerability about host
containers count info leakage.
------------------------------
1. Information
*Item*
*Details*
*Note*
Project
docker <
https://github.com/moby/moby>
containerd <
https://https/github.com/containerd/containerd>
podman <
https://github.com/containers/podman>
crio
runc <
https://github.com/opencontainers/runc>
Due to the widespread impact, we have also copied runc
…
If other container software is affected, please forward the email.
Affect Version
all
CVSS
4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Author
LEI WANG
Github-ID: ssst0n3 <
http://github.com/ssst0n3>
2. Original Features
Container runtimes manage the file system using graph drivers such as
overlay and devicemapper, which are loaded as modules into the kernel.
The container runtime shares the host’s sysfs, where
/sys/module/<MODULE_NAME>/refcnt represents the reference count of the
corresponding module. The reference count of these modules typically
matches the number of mounted file systems on the host, thereby leaking the
number of running containers on the host.
3. Vulnerability
3.1 Description
Files such as /sys/module/overlay/refcnt reveal the number of containers
running on the host because the sysfs of the host is shared when the
container is running.
3.2 Impact
All versions of the all runtime are affected
- docker
- containerd
- cri-o
- podman
- …
Given the breadth of the impact on the runtime, it may be necessary to
copy runc.
Disclosure of the number of containers running on a host can provide
several potential advantages to an attacker:
1. *Target value assessment*: If an attacker knows that a system is
running a large number of containers, the system may host multiple services
or applications, indicating that the target is a high-value target.
2. *Resource utilization and load information*: The number of
containers can give attackers some clues about system resource utilization
and load. For example, a host running a large number of containers may have
high resource usage, which may allow attackers to use this information to
launch denial-of-service (DoS) or distributed denial-of-service (DDoS)
attacks.
3. *Attack vector identification*: Knowing the number of containers
may also help attackers infer potential attack vectors. For example, if
many containers are running, attackers may assume that some of these
containers may not have proper security configuration or timely software
updates.
4. *Penetration policy planning*: Attackers may plan multi-phase
attacks or select the most likely unhardened container intrusion based on
the number of containers and their speculation about the system
architecture.
3.3 CVSS
4.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
<
https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:...
*vector*
*score*
*reason*
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None
4. PoC
$ docker ps |wc -l
7
$ docker run -ti ubuntu cat /sys/module/overlay/refcnt
7
$ docker run -tid ubuntu bash
78f902370c4bc18b787b95bca5079c052b8b7acd3e43cb7ccff01d8c4c740094
$ docker run -ti ubuntu cat /sys/module/overlay/refcnt
8
5. Fixing Suggestion
Add refcnt to maskedpath by referring to the method of setting maskedpath
in Docker.
https://github.com/moby/moby/blob/25.0/oci/defaults.go#L105-L116
MaskedPaths: []string{
"/proc/asound",
"/proc/acpi",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/proc/scsi",
"/sys/firmware",
"/sys/devices/virtual/powercap",
},
6. Others
Should this issue be confirmed as a vulnerability, I kindly request
assistance in obtaining a CVE-ID. I would appreciate it if the credit for
this discovery could be assigned to my GitHub ID: ssst0n3. If you require
any further assistance, please feel free to contact me at your convenience.
------------------------------
Thank you for your time and attention to this matter. We look forward to
your response and guidance on the next steps.
Best regards,
LEI WANG
--
To unsubscribe from this group and stop receiving emails from it, send an
email to security+unsubscribe(a)opencontainers.org.
--
To unsubscribe from this group and stop receiving emails from it, send an
email to security+unsubscribe(a)opencontainers.org.