CVE-2021-43816 Information

Description

containerd is an open source container runtime. On installations using SELinux such as EL8 (CentOS RHEL) Fedora or SUSE MicroOS with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI) an unprivileged pod scheduled to the node may bind mount via hostPath volume any privileged regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either /etc/hosts /etc/hostname or /etc/resolv.conf. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Reference

https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c https://github.com/containerd/containerd/issues/6194 https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299 https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/MPDIZMI7ZPERSZE2XO265UCK5IWM7CID/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GD5GH7NMK5VJMA2Y5CYB5O5GTPYMWMLX/

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

CHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.1