CVE-2018-15664
Public on
Last Modified:
Insights vulnerability analysis
Description
A flaw was discovered in the API endpoint behind the 'docker cp' command. The endpoint is vulnerable to a Time Of Check to Time Of Use (TOCTOU) vulnerability in the way it handles symbolic links inside a container. An attacker who has compromised an existing container can cause arbitrary files on the host filesystem to be read/written when an administrator tries to copy a file from/to the container.
Statement
All versions of docker prior to the fix are vulnerable to this flaw.
For clarity, in the "Affected Packages State" table, we only include OpenShift Container Platform (OCP) versions 3.7 and below because for these versions docker was shipped as part of the release. For all subsequent versions of OCP until 3.11, docker is installed from the RHEL Extras repository meaning clusters will be vulnerable to the flaw unless an updated docker package has been applied.
Red Hat Fuse provides only the Docker client library and is not affected by this vulnerability.
Mitigation
Stopping a container prior to running "docker cp" removes the TOCTOU vulnerability.
Additional information
- Bugzilla 1714722: docker: symlink-exchange race attacks in docker cp
- (CWE-22|CWE-367): Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') or Time-of-check Time-of-use (TOCTOU) Race Condition
- FAQ: Frequently asked questions about CVE-2018-15664
Common Vulnerability Scoring System (CVSS) Score Details
Important note
CVSS scores for open source components depend on vendor-specific factors (e.g. version or build chain). Therefore, Red Hat's score and impact rating can be different from NVD and other vendors. Red Hat remains the authoritative CVE Naming Authority (CNA) source for its products and services (see Red Hat classifications).
| Red Hat | NVD | |
|---|---|---|
CVSS v3 Base Score | 7.5 | 7.5 |
Attack Vector | Local | Local |
Attack Complexity | High | High |
Privileges Required | Low | Low |
User Interaction | Required | Required |
Scope | Changed | Changed |
Confidentiality Impact | High | High |
Integrity Impact | High | High |
Availability Impact | High | High |
CVSS v3 Vector
Red Hat: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
NVD: CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Understanding the Weakness (CWE)
Integrity,Confidentiality,Availability
Technical Impact: Execute Unauthorized Code or Commands
The attacker may be able to create or overwrite critical files that are used to execute code, such as programs or libraries.
Integrity
Technical Impact: Modify Files or Directories
The attacker may be able to overwrite or create critical files, such as programs, libraries, or important data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, appending a new account at the end of a password file may allow an attacker to bypass authentication.
Confidentiality
Technical Impact: Read Files or Directories
The attacker may be able read the contents of unexpected files and expose sensitive data. If the targeted file is used for a security mechanism, then the attacker may be able to bypass that mechanism. For example, by reading a password file, the attacker could conduct brute force password guessing attacks in order to break into an account on the system.
Availability
Technical Impact: DoS: Crash, Exit, or Restart
The attacker may be able to overwrite, delete, or corrupt unexpected critical files such as programs, libraries, or important data. This may prevent the product from working at all and in the case of protection mechanisms such as authentication, it has the potential to lock out product users.
Integrity,Other
Technical Impact: Alter Execution Logic; Unexpected State
The attacker can gain access to otherwise unauthorized resources.
Integrity,Other
Technical Impact: Modify Application Data; Modify Files or Directories; Modify Memory; Other
Race conditions such as this kind may be employed to gain read or write access to resources which are not normally readable or writable by the user in question.
Integrity,Other
Technical Impact: Other
The resource in question, or other resources (through the corrupted one), may be changed in undesirable ways by a malicious user.
Non-Repudiation
Technical Impact: Hide Activities
If a file or other resource is written in this method, as opposed to in a valid way, logging of the activity may not occur.
Non-Repudiation,Other
Technical Impact: Other
In some cases it may be possible to delete files a malicious user might not otherwise have access to, such as log files.
Frequently Asked Questions
Why is Red Hat's CVSS v3 score or Impact different from other vendors?
My product is listed as "Under investigation" or "Affected", when will Red Hat release a fix for this vulnerability?
What can I do if my product is listed as "Will not fix"?
What can I do if my product is listed as "Fix deferred"?
What is a mitigation?
I have a Red Hat product but it is not in the above list, is it affected?
Why is my security scanner reporting my product as vulnerable to this vulnerability even though my product version is fixed or not affected?
My product is listed as "Out of Support Scope". What does this mean?
Not sure what something means? Check out our Security Glossary.
Want to get errata notifications? Sign up here.
