CVE-2023-25173 - How a Flaw in containerd’s Group Handling Could Let Attackers Escalate Privileges in Containers

TL;DR:  
A security flaw in containerd (

What Is containerd?

containerd is a core piece in lots of container systems (including Docker and Kubernetes). It’s open source, widely used, and handles running and managing containers at a low level.

If you launch a Docker or Kubernetes container, containerd is (probably) doing the real work of bootstrapping and running the container using your settings from Dockerfiles or manifests.

About CVE-2023-25173

The vulnerability:  
A bug in containerd caused containers to run without properly setting *supplementary groups* for the user inside the container. So, if you set a user in your Dockerfile, their extra group memberships (those beyond their primary group) *weren’t right*.

Use those groups to access files *protected* from their main group.

- Maybe run privileged code or gather secrets meant for other users/groups.

Affected versions:

containerd *before* v1.6.18 and v1.5.18

- Downstream tools using the containerd client library until they update

Official advisory:  
- containerd GHSA-v853-8q72-6c2h Advisory
- CVE-2023-25173 NVD Entry

What Are Supplementary Groups, Anyway?

Linux users can be part of *multiple groups*. Each group has an ID (GID), and permissions for files/folders can be set using these groups. “Primary group” is your main one, but “supplementary groups” are the extra memberships.

Example:  

# On the host:
$ id bob
uid=1001(bob) gid=1001(bob) groups=1001(bob),10(wheel),120(devs),130(db)

Bob is in bob (primary), wheel, devs, and db (supplementary).

If only the primary group is set up inside a container, wheel, devs, and db permissions are lost—or could be added back later in ways the admin didn’t expect.

How to Exploit CVE-2023-25173 (Red Team Example)

Scenario:  
A misconfigured container, running on vulnerable containerd, uses USER alice in its Dockerfile. The user alice owns sensitive data file accessible only to group devs (a supplementary group for alice).

Attacker steps:

`sh

$ cat /data/projects/top-secret.txt

Example Dockerfile

FROM ubuntu:22.04
RUN groupadd -g 120 devs && \
    useradd -u 1002 -g 1002 -G devs alice && \
    mkdir /data && echo "secret" > /data/projects/top-secret.txt && \
    chown alice:devs /data/projects/top-secret.txt
USER alice
CMD ["/bin/bash"]

When containerd is vulnerable, only the *primary* group is active on login, not devs.

Why Did This Happen?

Because of a bug in how containerd set up the user session inside the container, *supplementary groups* defined for the container's user were ignored during container startup. The bug mainly appeared when using the Dockerfile USER instruction:  

USER alice

If you use su or su - alice as your entrypoint instead, Linux’s PAM subsystem initializes the user with the proper groups.

v1.5.18 (for older releases)

Download from the official containerd releases page.

2. Recreate all existing containers

Since group memberships are fixed at container start, you must re-create or restart containers after updating containerd.

3. Check your application stack

- Any software/library using containerd’s Go client (containerd/client) should update and check for its own advisories.

In your Dockerfile

Instead of  

USER alice

use  

ENTRYPOINT [ "su", "-", "alice" ]

This forces proper setup of supplementary groups on container start.

Code Snippet: Safe Dockerfile Setup

FROM ubuntu:22.04

# Set up supplementary group 'devs' and user 'alice'
RUN groupadd -g 120 devs && \
    useradd -u 1002 -g 1002 -G devs alice

# Create a secret only accessible to the 'devs' group
RUN mkdir -p /data/projects && \
    echo "super-secret" > /data/projects/top-secret.txt && \
    chown alice:devs /data/projects/top-secret.txt && \
    chmod 064 /data/projects/top-secret.txt

# Instead of USER alice, use ENTRYPOINT
ENTRYPOINT ["su", "-", "alice"]

# Open bash shell by default
CMD ["/bin/bash"]

[x] Upgraded containerd to 1.6.18 or above (or 1.5.18)

- [x] Re-created/restarted all containers

[x] Used ENTRYPOINT ["su", "-", "user"] as needed

- [x] Verified any external or downstream apps/libraries for advisories

More Reading

- containerd Advisory GHSA-v853-8q72-6c2h
- CVE-2023-25173 on MITRE
- Docker Changes for Group Handling
- containerd Release Notes

Summary

If you use containerd and set users in your containers, upgrade ASAP. This bug could let attackers bypass group barriers and help themselves to restricted files or capabilities. Even if you run mostly trustworthy workloads, updating is the right call. And remember to audit third-party tools built on containerd libraries!

Stay safe and keep shipping containers securely 🚢🔒

Timeline

Published on: 02/16/2023 15:15:00 UTC
Last modified on: 02/24/2023 16:56:00 UTC