New containerd Security Hole Needs to Be Patched ASAP

guest · Dec 4, 2020

New containerd Security Hole Needs to Be Patched ASAP
December 3, 2020
https://thenewstack.io/new-containerd-security-hole-needs-to-be-patched-asap/

These days most of us are using the containerd runtime to manage our container’s lifecycle. It does, after all, underlay both Docker and many common Kubernetes configurations.
Alas, the UK security company NCC Group, has uncovered a potentially nasty one: CVE-2020-15257, containerd-shim API Exposed to Host Network Containers.

The containerd-shim is a binary spawned by containerd. This serves as the parent of a container. It implements the container lifecycle and reconnection logic. This, in turn, uses the containerd shim API as a network connection to containerd.
But, this connecting process had an effective UID of 0–aka root–but did not otherwise restrict access to its domain socket. Whoops.
Click to expand...

So, what can you do about it. First, it’s been fixed in containerd 1.3.9 and 1.4.3. These patches were released recently. And you should update to these versions as soon as you can. You’ll also have to restart any containers that spun up before you make the fix. That’s because older running containers will continue to be vulnerable even after an upgrade.
Click to expand...

NCC Group: Technical Advisory: containerd – containerd-shim API Exposed to Host Network Containers (CVE-2020-15257)

Impact
An attacker that is able to run or compromise a host network container running as UID 0 can escape the container, escalate privileges, and compromise the host.
Click to expand...

Log in or Sign up

New containerd Security Hole Needs to Be Patched ASAP

guest Guest

Log in or Sign up

New containerd Security Hole Needs to Be Patched ASAP

guest Guest

Useful Searches