oss-sec mailing list archives
Re: CVE Request: Linux kernel: privilege escalation in user namespaces
From: cve-assign () mitre org
Date: Thu, 31 Dec 2015 14:43:50 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Use CVE-2015-8709 for the issue fixed in the https://lkml.org/lkml/2015/12/25/71 post. (This is not yet available at http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/log/kernel/ptrace.c and http://marc.info/?l=linux-kernel&m=145118185526359 might be the current end of the earlier discussion.) This issue has been covered in security advisories from one or more Linux distributions, e.g.,
http://www.ubuntu.com/usn/usn-2847-1 Jann Horn discovered a ptrace issue with user namespaces in the Linux kernel. The namespace owner could potentially exploit this flaw by ptracing a root owned process entering the user namespace to elevate its privileges and potentially gain access outside of the namespace. (http://bugs.launchpad.net/bugs/1527374)
There has been some discussion of whether the finding was a vulnerability discovery, e.g.,
Date: Fri, 18 Dec 2015 00:07:19 +0100 From: Jann Horn <jann () thejh net> I'm not sure whether this is CVE-worthy - the user_namespaces manpage says "the process has full privileges for operations inside the user namespace, but is unprivileged for operations outside the namespace". ptrace()ing a process in the namespace can reasonably be considered an "operation inside the user namespace" ... In my opinion, this patch is somewhere between hardening and a security feature, but I wouldn't really call it a vuln fix.
Date: Thu, 17 Dec 2015 23:54:03 +0000 From: Serge Hallyn <serge.hallyn () ubuntu com>ptrace()ing a process in the namespace can reasonably be considered an "operation inside the user namespace"Except by creating a file in the host namespace, you were, as root in the container, able to escape your namespace, right?
We feel that, more generally, the usn-2847-1 mention of "and potentially gain access outside of the namespace" is a realistic concern. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJWhYUBAAoJEL54rhJi8gl5clsQAJ0zSFW9FO3915URxP2n8G8o ZhSK+jSGkt2LyKDA6pUooumSsK0AcFyHickeGcvpQwG3QVhgAhMXAafcgmPxA6yo H1lagz87clNL96IRK4IqQF9Go8ESqxDay+lUidazRPpIvGUSx+0/qQ0OlRWixGmW CeumSsAP2bHTEf/r6LVliPU5+2/nRdvRsSa+OXF4z6vJerzHGJAMvipaXf3otts+ VQzco/jc8R5zODFTc7xqVmIBbzyCPtP47BvmPXDJaVelt9kPima+qLOFC4ahEdw8 qChsbHH8Ab1Tv5WATqopWJ6oLQ6g4yFihrtfPr1w9JaDMoFPs3s8OKXji+RkR09F om+7qSXTMft25wdeBoh1eTyceLD5ZdjB82cwhxLxthjyYjQTmKcQU5HBXD9xZee9 SVs03pBTYXyo0rt+z1mvaL7rsuXn6NXLRt3mwDHO7qpwKJKU3nJjt9OOdan+Cipb Fj8/ypwFLvOBeEMC3Ymi8yhb7JOGtMetKI/q/nvouscovNeM7rfYeFIrNAup71du PNn2to5riQHeK/XsxBYi3VUK2wHm2MyKvcwaq5wzyw0GKBCdPXYnGKYQ8k8KnT7/ b1SPmfL/8GpYENEAjtXbPNp18CwY5pXE/+u7HrX+GsBUjpapayx3o2Jsjr12/4x7 36dwQ8gGQoWfBFgofWSs =YkNx -----END PGP SIGNATURE-----
Current thread:
- CVE Request: Linux kernel: privilege escalation in user namespaces John Johansen (Dec 17)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Jann Horn (Dec 17)
- Re: Re: CVE Request: Linux kernel: privilege escalation in user namespaces Serge Hallyn (Dec 17)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Solar Designer (Dec 17)
- AW: CVE Request: Linux kernel: privilege escalation in user namespaces Fiedler Roman (Dec 18)
- Re: AW: CVE Request: Linux kernel: privilege escalation in user namespaces Marc Deslauriers (Dec 18)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Salvatore Bonaccorso (Dec 27)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces cve-assign (Dec 31)
- <Possible follow-ups>
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Fiedler Roman (Dec 21)
- Re: CVE Request: Linux kernel: privilege escalation in user namespaces Jann Horn (Dec 17)