CVSS Score: 6.6 Published: 2022-04-01 Full Report: https://cvereports.com/reports/GHSA-C3G4-W6CV-6V7H
A logic flaw in Buildah and Moby (Docker Engine) allowed containers to start with a non-empty Inheritable capability set. This subtle misconfiguration permits attackers to 'resurrect' privileges that were intended to be restricted, bypassing container hardening measures by leveraging file capabilities.
Docker and Buildah accidentally left the 'Inheritable' capability set wide open. By default, containers should start with this set empty. Because it wasn't, a process inside a container could elevate its privileges back up to the Bounding Set limits simply by executing a binary with specific file capabilities attached, effectively bypassing security profiles that rely on dropping capabilities from the Effective set.
- CWE ID: CWE-276 (Incorrect Default Permissions)
- CVSS v3.1: 6.6 (Medium)
- Attack Vector: Local (Container Internal)
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Buildah <= 1.24.0
- Moby (Docker Engine) < 20.10.14
- Fedora 34 (containers-common)
- Fedora 35 (containers-common)
- Fedora 36 (containers-common)
- Buildah: <= 1.24.0 (Fixed in:
1.25.0) - Moby (Docker): < 20.10.14 (Fixed in:
20.10.14)
- Upgrade Container Runtimes immediately.
- Enable 'no-new-privileges' security option.
- Explicitly drop Bounding set capabilities that are not required.
Remediation Steps:
- Upgrade Moby/Docker to version 20.10.14 or later.
- Upgrade Buildah to version 1.25.0 or later.
- If patching is not possible, run containers with the flag
--security-opt=no-new-privileges. This kernel-level feature prevents the transition of capabilities duringexecve, effectively neutralizing the exploit vector even if the Inheritable set is malformed.
Generated by CVEReports - Automated Vulnerability Intelligence