Listen to this Post
The vulnerability stems from containerd creating several critical directories with overly permissive access controls. Specifically, `/var/lib/containerd` (the metadata and content store) and certain directories under `/run/containerd` used for CRI communication and sandbox control were created with `0o711` or `0o755` permissions. These permissions allow any local user on the host to list directory contents and access files. This improper configuration permits unauthorized local users to read sensitive data, including the contents of Kubernetes local volumes. Access to these volumes could expose privileged information or, critically, setuid binaries. A local attacker could potentially execute these discovered setuid binaries to elevate their privileges on the host system, moving from an unprivileged user account to root. The issue also affected custom temporary directories if specified in the daemon’s configuration file, which were similarly created with insecure `0o711` permissions instead of the restrictive 0o700.
Platform: Containerd
Version: <1.7.29, <2.0.7, <2.1.5, <2.2.0
Vulnerability: Directory Permissions
Severity: Critical
date: 2024-04-03
Prediction: Patched 2024-04-03
What Undercode Say:
`ls -la /var/lib/ | grep containerd`
`ls -la /run/containerd/`
`chmod 700 /var/lib/containerd`
`chmod 700 /run/containerd/io.containerd.grpc.v1.cri`
`find /var/lib/containerd -type f -perm /4000`
How Exploit:
Local user enumerates directories.
Attacker reads volume contents.
Executes found setuid binary.
Protection from this CVE
Update to patched versions.
Manual `chmod` on directories.
Use rootless mode.
Impact:
Metadata store exposure.
Information disclosure.
Local privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
