Runc regression - docker-1.13.1-108 - CVE-2016-8867, CVE-2020-14298, and CVE-2020-14300

Public Date: June 23, 2020, 12:41
Updated September 3, 2021, 12:23 - Chinese, Simplified French Japanese Korean
Resolved Status
Important Impact

Insights vulnerability analysis

View exposed systems

Executive summary

Red Hat released a version of docker for Red Hat Enterprise Linux 7 Extras that introduced multiple regressions for previously fixed security flaws and a new vulnerability. Red Hat released this version in early January 2020 and subsequently fixed it with an early February 2020 release. Red Hat Product Security has classified these flaws  as having a severity rating of Important. Users of this vulnerable version of docker are urged to upgrade to newer versions. 

The following Red Hat product versions are impacted:

  • Red Hat Enterprise Linux 7 Extras
  • Red Hat Enterprise Linux Atomic Host (versions 7.7.3.1 & 7.7.4)

The following Red Hat products and services are potentially impacted. These products have installation dependencies on docker, and during this short time period the vulnerable version may have been installed from the Red Hat Enterprise 7 Extras channel:

  • Red Hat Ceph Storage 2
  • Red Hat Ceph Storage 3
  • Red Hat OpenStack Platform 10 (*)
  • Red Hat OpenStack Platform 13
  • Red Hat OpenShift Container Platform 3.11
  • Red Hat Quay
  • Microsoft Azure OpenShift v3

To determine if your system is currently vulnerable to these flaws, see the Diagnosis section below. Additionally, an Ansible playbook for automatic remediation is provided below.

* Red Hat OpenStack Platform 10 provided capabilities with docker as a Technology Preview. 

Technical summary

An update for docker packages in the Red Hat Enterprise Linux 7 Extras repository released on January 8th, 2020, via erratum RHBA-2020:0053 included a vulnerable version of runc that was missing multiple patches added via the previous errata, creating a regression of multiple bug and security fixes.

This update introduced three security issues. Two of the flaws are regressions of previously fixed security flaws (CVE-2020-14298 and CVE-2020-14300). The third security flaw is new and did not affect previous docker packages in Red Hat Enterprise Linux 7 Extras (CVE-2016-8867).

All three issues have been rated as having a severity impact of Important.

Technical details and mitigation

CVE-2020-14298

This CVE was assigned to the regression for the fix for CVE-2019-5736, which was previously addressed in the Red Hat Enterprise Linux 7 Extras docker packages via RHSA-2019:0304. This issue allows a malicious or compromised container to compromise the container host and other containers running on the same host.

The impact of this issue is mitigated by the use of SELinux in enforcing mode. The SELinux policy prevents a process in the container from overwriting files on the host system that do not belong to the container, and files belonging to other containers. Further escalation of privileges on the host would require exploiting another kernel flaw that allows bypassing or disabling SELinux. Additionally, the known exploit for this issue requires overwriting the docker-runc binary. Placement of the binary on a read-only file system prevents the overwrite and stops the exploit. Red Hat Enterprise Linux Atomic Host 7 uses a read-only file system for system binaries and therefore mitigates this issue.

CVE-2020-14300

This CVE was assigned to the regression of the fix for CVE-2016-9962, which was previously addressed in the Red Hat Enterprise Linux 7 Extras docker packages via RHSA-2017:0116. This issue allows a malicious or compromised container to further compromise the container host and other containers running on the same host.

The impact of this issue is mitigated by the use of SELinux in enforcing mode. The SELinux policy prevents a process in the container from overwriting files on the host system that do not belong to the container, and files belonging to other containers. Further escalation of privileges on the host would require exploiting another kernel flaw that allows bypassing or disabling SELinux.

CVE-2016-8867
An incorrect setting of ambient capabilities caused unprivileged non-root processes inside a container to run with unexpected capabilities, allowing them to escalate their privileges inside that container to root.  When this issue was originally reported in 2016, it did not affect any version of docker packages shipped with Red Hat Enterprise Linux 7 Extras at that time. 

Due to the regression, the docker-1.13.1-108.git4ef4b30.el7 packages became vulnerable to these privilege escalations within the container.  This specific build is the only one containing the regression, and the only version affected by this issue.

This issue can be mitigated by restricting the set of capabilities available to processes inside containers using the --cap-add and --cap-drop options. However, as such restrictions apply to both non-root and root processes, the set of capabilities that can be dropped without breaking intended functionality has to be determined for each container and may not prevent privilege escalation. Therefore, Red Hat recommends that users install fixed docker packages instead of using this mitigation.

Background

On January 8th 2020, Red Hat released RHBA-2020:0053 containing docker-1.13.1-108.git4ef4b30.el7. Soon after, it was discovered that docker-1.13.1-108.git4ef4b30.el7 contained various regressions, and during the research, it was found that runc part was built from the master branch instead of the Red Hat specific branch. This issue has caused major patches (bug fixes, enhancements, and security fixes) to not be available in the package shipped.

On February 4th 2020, Red Hat released RHBA-2020:0427 containing docker-1.13.1-109.gitcccb291.el7_7, which did include all previously missing patches as it was built again against the correct runc branch. Since this released version, no further regressions have been introduced or reintroduced.

On June 23rd 2020, Red Hat released RHSA-2020:2653 containing docker-1.13.1-162.git64e9980.el7_8. This update provides no new security fixes compared to the last previously released version docker-1.13.1-161.git64e9980.el7_8 (from RHSA-2020:1234). It also contains no new fixes related to CVE-2020-14298, CVE-2020-14300, or CVE-2016-8867 compared to docker-1.13.1-109.gitcccb291.el7_7, which corrected all three issues described in this article. This erratum is released to ensure proper customer visibility of the regression introduced in docker-1.13.1-108.git4ef4b30.el7 packages as they were originally only addressed via a bug fix advisory (RHBA) rather than a security advisory (RHSA). This erratum also ensures proper visibility of the problem to security scanning tools.

Product impact

Red Hat Enterprise Linux Atomic Host versions 7.7.3.1 & 7.7.4, and Red Hat Enterprise Linux 7 Extras are the only Red Hat products that have shipped a vulnerable version of docker. However, several other products and services rely on docker packages from Red Hat Enterprise Linux 7 Extras and are potentially affected. Those products that depend on Red Hat Enterprise Linux 7 Extras need to have the docker package updated to remediate these vulnerabilities. To determine if your system is currently vulnerable to these flaws, see the Diagnosis section below.

OpenShift Container Platform OCP 3.11

CVE-2020-14298 and CVE-2020-14300 are mitigated on OCP 3.11 by default as SELinux is set to enabled and enforcing mode is part of installation steps.
Installations of OCP 3.11 with a vulnerable version of docker are affected by CVE-2016-8867, but the ramifications of the vulnerability are reduced due to the privilege escalation being restricted to within each container.

Any users who installed or upgraded a 3.11 cluster between January 8th and February 4th, 2020, are more likely to have a vulnerable docker version installed and are urged to check as soon as possible.

Red Hat Ceph Storage versions 2 and 3

Red Hat Ceph Storage version 3 uses the docker package from the Red Hat Enterprise Linux 7 Extras repository. The docker package is used within Ceph Storage to create, deploy, and run applications by using containers such as Grafana and Prometheus while installing the Red Hat Ceph Storage Dashboard.
 
Red Hat Ceph Storage version 2 also uses docker from the Red Hat Enterprise Linux 7 Extras repository while deploying the Red Hat Ceph Storage 2 as a Container Image.

SELinux enforcing mode is enabled by default in Red Hat Ceph Storage 2 and 3, which mitigates CVE-2020-14298 and CVE-2020-14300. However, containers from both Ceph Storage versions which were deployed with the vulnerable version of docker are affected by CVE-2016-8867.

Red Hay Quay

The process of installing Red Hat Quay includes enabling the Red Hat Enterprise Linux 7 Extras repository and installing docker as the container runtime for running the product’s container images.  By default, SELinux will be enabled, mitigating the impact of CVE-2020-14298 and CVE-2020-14300.  The third vulnerability, CVE-2016-8867, will be present within the running containers on that system, including the Red Hat Quay containers.

Red Hat OpenStack Platform versions 10 and 13

Both Red Hat OpenStack version 10 and Red Hat OpenStack version 13 enable the Red Hat Enterprise Linux 7 Extras repository and install docker from this location. The usage of docker and containers within Red Hat OpenStack version 10 is a Technology Preview. The usage of docker and containers within Red Hat OpenStack version 13 is more extensive, with all services running as containers (which rely on docker).

If a container escape flaw were to be exploited, the impact would be high as these services manage the entire Red Hat OpenStack infrastructure. Fortunately the default configuration of Red Hat OpenStack runs with SELinux in enforcing mode, which mitigates the possibility of container escapes. Additionally, the images used for overcloud services are trusted, so there is less risk for malicious repurposing.

Services Impact

Red Hat has confirmed the following services are not running the vulnerable version of docker, and thus are not affected by these vulnerabilities:

    •    Red Hat OpenShift Dedicated v3
    •    Red Hat OpenShift Dedicated v4
    •    Red Hat OpenShift Online
    •    Red Hat Managed Integration
    •    Quay.IO
    •    cloud.redhat.com
    •    Microsoft Azure OpenShift v4

Microsoft Azure OpenShift v3

Customers running Microsoft Azure OpenShift v3 clusters with version 16 and 17 are confirmed to be not affected due to routine updates. Two older clusters running version 15 are partially affected; as per the details for OpenShift Container Platform 3.11 above:

    •    CVE-2020-14298 and CVE-2020-14300 are mitigated by SELinux
    •    CVE-2016-8867 is present, but the impact of the vulnerability is reduced to the privilege escalation within each container.

Red Hat is working with Microsoft to ensure any affected customers are contacted.

Updates for affected products

Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as the errata are available. Customers are urged to apply the available updates immediately and enable the mitigations as they feel appropriate. Customers running Red Hat products with our Certified Cloud Provider Partners should contact the Cloud provider for further details.

ProductPackageAdvisory/Update
Red Hat Enterprise Linux 7 ExtrasdockerRHSA-2020:2653

Diagnosis

A vulnerability detection script has been developed to determine if your system is currently vulnerable to this flaw. To verify the authenticity of the script, you can download the detached GPG signature as well.

Determine if your system is vulnerable

Version 1.0

The vulnerability detection script is intended for currently supported Red Hat Enterprise Linux versions. The detection script can also be used with layered products on top of Red Hat Enterprise Linux where you have access to run the script.

Alternatively, you can use a simple shell command to check installed version of docker package:

$ rpm -q docker

If the reported version is docker-1.13.1-108.git4ef4b30.el7, you are potentially vulnerable to this issue.

Ansible Playbook

Additionally, an Ansible playbook, "CVE-2020-14297-14300-update_fixit--2020-06-23-1248_0.yml",  is provided below. This playbook will update affected docker packages. To use the playbook, specify the hosts you'd like to update with the HOSTS extra var:

ansible-playbook -e HOSTS=container_host,dev01 CVE-2020-14297-14300-update_fixit--2020-06-23-1248_0.yml

To verify the legitimacy of the playbook, you can download the detached GPG signature.

Automate the mitigation

Version 1.0

FAQ

Q: Do I need to reboot or restart something after installing updated docker packages?
A: The docker daemon will be restarted during `yum update`, stopping all running containers. Any containers running before `yum update` is executed will need to be restarted. To update docker in OpenShift Container Platform 3.11, follow the below guide:

https://docs.openshift.com/container-platform/3.11/upgrading/os_upgrades.html

Q: If I'm already using docker packages version docker-1.13.1-109.gitcccb291.el7_7 or docker-1.13.1-161.git64e9980.el7_8, do I need to install docker-1.13.1-162.git64e9980.el7_8 immediately to address these issue?
A: No immediate action is required. All three issues CVE-2016-8867, CVE-2020-14298, and CVE-2020-14300 were already addressed in docker-1.13.1-109.gitcccb291.el7_7. The update included in RHSA-2020:2653 is released to ensure proper visibility of these issues to users and tools. Refer to the background information above for more details.

Q: Is Red Hat OpenShift Container Platform OCP 4.x affected?
A: Red Hat OpenShift Container Platform 4.x is not affected by this regression as it uses CRI-O container engine instead of docker.  While it is possible to run Red Hat Enterprise Linux 7 on worker nodes, these will be installed with CRI-O which is not affected by this vulnerability.

Q: Is Red Hat OpenShift Container Storage (OCS) affected?
A: OCS 4.x uses OCP 4.x as a base and OCS 3.x uses OCP 3.x as a base. Hence OCP covers the affectedness of OCS.

Q: Is Red Hat Enterprise Linux 8 affected?
A: Red Hat Enterprise Linux 8 is not affected by this regression. It has never included this vulnerable version of the docker package.

Q: Are docker packages from other vendors affected by CVE-2020-14298 and CVE-2020-14300?
A: These CVEs were assigned to security regressions specific to docker packages as provided by Red Hat via Red Hat Enterprise Linux 7 Extras. Therefore, these CVEs are not applicable to docker builds provided by other vendors, and notably upstream builds provided by Docker Inc. or included with other Linux distributions. These CVEs may be applicable to projects that are based on Red Hat Enterprise Linux source code, such as CentOS.

References

For more detailed information on the two previous security vulnerabilities that was regressed with this issue see:

runc - Malicious container escape - CVE-2019-5736
On-entry container attack - CVE-2016-9962

Comments