Moby is an open-source project developed by Docker to facilitate and accelerate software containerization. It is the foundation of the popular containerization tool, Docker Engine. A vulnerability has been discovered in Moby (Docker Engine) versions prior to 20.10.14, where containers were incorrectly started with non-empty inheritable Linux process capabilities. This issue results in an untypical Linux environment and potentially enables programs with inheritable file capabilities to escalate those capabilities during the execve(2) system call execution.
The Vulnerability
Under normal circumstances, when an executable program possesses specified permitted file capabilities, unprivileged users and processes may execute the program and gain the specified file capabilities up to the bounding set. However, this bug allows containers containing executable programs with inheritable file capabilities to grant unprivileged users and processes these inheritable file capabilities up to the container's bounding set.
This vulnerability is particularly impactful for containers that rely on Linux users and groups for privilege separation within the container. It is important to note that this bug does not affect the container security sandbox as the inheritable set never contains more capabilities than those included in the container's bounding set.
The official reference for this vulnerability can be found at CVE-2022-24769.
A demonstration of the exploit for this vulnerability is provided below
# Run a vulnerable container
$ docker run -it --rm --cap-add SYS_PTRACE ubuntu:18.04 /bin/bash
# Inside the container, install the necessary tools
$ apt-get update && apt-get install -y libcap2-bin strace
# Observe inheritable capabilities
$ capsh --print
# Attempt to trace a process using strace
$ strace -p 1
In this example, the SYS_PTRACE capability is added to the container, allowing the otherwise unprivileged user to trace a process using strace.
The Fix
This bug has been fixed in Moby (Docker Engine) version 20.10.14. To mitigate the issue, existing containers should be stopped, deleted, and recreated to reset inheritable capabilities. This fix ensures that Moby (Docker Engine) containers will start with a more typical Linux environment.
The relevant pull request can be found here, and the changelog is available here.
Workaround
As a temporary workaround, the entry point of a container can be modified to use a utility like capsh(1) to drop inheritable capabilities before starting the primary process. Here is an example of how the entry point may be modified:
FROM ubuntu:18.04
RUN apt-get update && apt-get install -y libcap2-bin
ENTRYPOINT ["/sbin/capsh", "--drop=cap_sys_ptrace,cap_sys_admin", "--", "/bin/bash"]
In this example, the capsh utility is used to drop the cap_sys_ptrace and cap_sys_admin capabilities from the inheritable set before launching the main /bin/bash process.
Conclusion
CVE-2022-24769 is a vulnerability in Moby (Docker Engine) versions prior to 20.10.14, where containers with non-empty inheritable Linux process capabilities can potentially allow an unprivileged user to escalate these inheritable capabilities. The issue has been addressed in version 20.10.14, and users are advised to update their installations and recreate affected containers.
Timeline
Published on: 03/24/2022 20:15:00 UTC
Last modified on: 06/13/2022 11:15:00 UTC