Executive Summary

This vulnerability is a container privilege escalation flaw found in certain container-native virtualization images. During the container build process, the /etc/passwd file is created with group-writable permissions. An attacker who can run commands inside the affected container, even as a non-root user, and who is a member of the root group, can modify the /etc/passwd file. This allows the attacker to add a new user with any user ID, including UID 0 (root), thereby gaining full root privileges within the container. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker with limited access inside a container to escalate their privileges to full root access within that container. This means the attacker can perform any action as the root user inside the container, potentially compromising the container's security and any applications or data it handles. [1]

Useful 0 Not Useful 0

Detection Guidance

You can detect this vulnerability by checking if the /etc/passwd file inside your container images has group-writable permissions. For example, run the command `ls -l /etc/passwd` inside the container and verify if the group permissions include write access (e.g., -rw-rw-r--). If the file is group-writable, the container is vulnerable. Additionally, verify if users inside the container belong to the root group, which could allow exploitation. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include rebuilding the affected container images ensuring that the /etc/passwd file is created without group-writable permissions (e.g., permissions set to 644 or more restrictive). Also, restrict user group memberships inside containers to prevent non-root users from being in the root group. Applying updated container images or patches from your vendor that address this issue is recommended. [1]

Useful 0 Not Useful 0