Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 548884 (CVE-2015-3627) - <app-emulation/docker-1.6.1: multiple vulnerabilities (CVE-2015-{3627,3629,3630,3631})
Summary: <app-emulation/docker-1.6.1: multiple vulnerabilities (CVE-2015-{3627,3629,36...
Status: RESOLVED FIXED
Alias: CVE-2015-3627
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-05-08 07:04 UTC by Agostino Sarubbo
Modified: 2016-03-29 12:02 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-05-08 07:04:44 UTC
From ${URL} :

Docker Engine version 1.6.1 has been released to address several
vulnerabilities and is immediately available for all supported platforms.
Users are advised to upgrade existing installations of the Docker Engine
and use 1.6.1 for new installations.

It should be noted that each of the vulnerabilities allowing privilege
escalation may only be exploited by a malicious Dockerfile or image.  Users
are advised to run their own images and/or images built by trusted parties,
such as those in the official images library.

Please send any questions to security@...ker.com.


====================================================================

[CVE-2015-3629] Symlink traversal on container respawn allows local
privilege escalation

====================================================================

Libcontainer version 1.6.0 introduced changes which facilitated a mount
namespace breakout upon respawn of a container. This allowed malicious
images to write files to the host system and escape containerization.

Libcontainer and Docker Engine 1.6.1 have been released to address this
vulnerability. Users running untrusted images are encouraged to upgrade
Docker Engine.

Discovered by Tõnis Tiigi.


==============================================================

[CVE-2015-3627] Insecure opening of file-descriptor 1 leading to privilege
escalation

==============================================================

The file-descriptor passed by libcontainer to the pid-1 process of a
container has been found to be opened prior to performing the chroot,
allowing insecure open and symlink traversal. This allows malicious
container images to trigger a local privilege escalation.

Libcontainer and Docker Engine 1.6.1 have been released to address this
vulnerability. Users running untrusted images are encouraged  to upgrade
Docker Engine.

Discovered by Tõnis Tiigi.


==================================================================

[CVE-2015-3630] Read/write proc paths allow host modification & information
disclosure

==================================================================

Several paths underneath /proc were writable from containers, allowing
global system manipulation and configuration. These paths included
/proc/asound, /proc/timer_stats, /proc/latency_stats, and /proc/fs.

By allowing writes to /proc/fs, it has been noted that CIFS volumes could
be forced into a protocol downgrade attack by a root user operating inside
of a container. Machines having loaded the timer_stats module were
vulnerable to having this mechanism enabled and consumed by a container.

We are releasing Docker Engine 1.6.1 to address this vulnerability. All
versions up to 1.6.1 are believed vulnerable. Users running untrusted
images are encouraged to upgrade.

Discovered by Eric Windisch of the Docker Security Team.

===============================================

[CVE-2015-3631] Volume mounts allow LSM profile escalation

===============================================

By allowing volumes to override files of /proc within a mount namespace, a
user could specify arbitrary policies for Linux Security Modules, including
setting an unconfined policy underneath AppArmor, or a docker_t policy for
processes managed by SELinux. In all versions of Docker up until 1.6.1, it
is possible for malicious images to configure volume mounts such that files
of proc may be overridden.

We are releasing Docker Engine 1.6.1 to address this vulnerability. All
versions up to 1.6.1 are believed vulnerable. Users running untrusted
images are encouraged to upgrade.

Discovered by Eric Windisch of the Docker Security Team.

========================

AppArmor policy improvements

========================

The 1.6.1 release also marks preventative additions to the AppArmor policy.
Recently, several CVEs against the kernel have been reported whereby mount
namespaces could be circumvented through the use of the sys_mount syscall
from inside of an unprivileged Docker container. In all reported cases, the
AppArmor policy included in libcontainer and shipped with Docker has been
sufficient to deflect these attacks. However, we have deemed it prudent to
proactively tighten the policy further by outright denying the use of the
sys_mount syscall.


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Tianon 2015-05-08 14:02:30 UTC
I added 1.6.1 to docker-overlay yesterday (https://github.com/tianon/docker-overlay/blob/master/app-emulation/docker/docker-1.6.1.ebuild), it just needs to be proxied in and old versions removed. :)
Comment 2 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2015-05-08 17:28:21 UTC
  08 May 2015; Kacper Kowalik <xarthisius@gentoo.org> -docker-1.5.0.ebuild:
  drop old wrt #548884

  08 May 2015; Kacper Kowalik <xarthisius@gentoo.org> +docker-1.6.1.ebuild,
  -docker-1.6.0.ebuild:
  Version bump, drop old wrt #548884
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-06-14 20:12:32 UTC
CVE-2015-3631 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3631):
  Docker Engine before 1.6.1 allows local users to set arbitrary Linux
  Security Modules (LSM) and docker_t policies via an image that allows
  volumes to override files in /proc.

CVE-2015-3630 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3630):
  Docker Engine before 1.6.1 uses weak permissions for (1) /proc/asound, (2)
  /proc/timer_stats, (3) /proc/latency_stats, and (4) /proc/fs, which allows
  local users to modify the host, obtain sensitive information, and perform
  protocol downgrade attacks via a crafted image.

CVE-2015-3629 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3629):
  Libcontainer 1.6.0, as used in Docker Engine, allows local users to escape
  containerization ("mount namespace breakout") and write to arbitrary file on
  the host system via a symlink attack in an image when respawning a
  container.

CVE-2015-3627 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-3627):
  Libcontainer and Docker Engine before 1.6.1 opens the file-descriptor passed
  to the pid-1 process before performing the chroot, which allows local users
  to gain privileges via a symlink attack in an image.
Comment 4 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-29 09:14:35 UTC
@maintainer(s), please cleanup the vulnerable versions in the tree.  Thank you.
Comment 5 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-29 12:02:31 UTC
No vulnerable versions in tree.