GitHub Advisory DatabaseGHSA-CM9X-C3RH-7RC4CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%
Impact
It is possible to craft an environment variable with newlines to add entries to a container’s /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry.
Note: because the pod author is in control of the container’s /etc/passwd, this is not considered a new risk factor. However, this advisory is being opened for transparency and as a way of tracking fixes.
Patches
1.26.0 will have the fix. More patches will be posted as they’re available.
Workarounds
Additional security controls like SELinux should prevent any damage a container is able to do with root on the host. Using SELinux is recommended because this class of attack is already possible by manually editing the container’s /etc/passwd
References
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| github.com/cri-o/cri-o | lt | 1.26.0 |
References
access.redhat.com/errata/RHSA-2023:1033
access.redhat.com/errata/RHSA-2023:1503
access.redhat.com/security/cve/CVE-2022-4318
bugzilla.redhat.com/show_bug.cgi?id=2152703
github.com/advisories/GHSA-cm9x-c3rh-7rc4
github.com/cri-o/cri-o/pull/6450
github.com/cri-o/cri-o/security/advisories/GHSA-cm9x-c3rh-7rc4
nvd.nist.gov/vuln/detail/CVE-2022-4318
Related
7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.0004 Low
EPSS
Percentile
5.1%