CRI-O vulnerable to /etc/passwd tampering resulting in Privilege Escalation

Description

Impact

It is possible to craft an environment variable with newlines to add entries to a container's /etc/passwd. It is possible to circumvent admission validation of username/UID by adding such an entry.

Note: because the pod author is in control of the container's /etc/passwd, this is not considered a new risk factor. However, this advisory is being opened for transparency and as a way of tracking fixes.

Patches

1.26.0 will have the fix. More patches will be posted as they're available.

Workarounds

Additional security controls like SELinux should prevent any damage a container is able to do with root on the host. Using SELinux is recommended because this class of attack is already possible by manually editing the container's /etc/passwd

References

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2022-12-29 01:49:47 UTC
Updated
2024-05-03 20:28:17 UTC
GitHub reviewed
2022-12-29 01:49:47 UTC
NVD published
2023-09-25

EPSS Score

Score Percentile
0.04% 12.63%

CVSS Scores

Base score Version Severity Vector
6.1 3.1
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:L/I:H/A:N Click to expand
Attack vector (AV:L)
They already need access on the box, or another person has to do something wrong; it’s not a remote drive-by.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:H)
They need powerful rights—admin, root, or similar—before this pays off.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE-913 Improper Control of Dynamically-Managed Code Resources

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/cri-o/cri-o < 1.26.0 1.26.0

References

cvelogic Threat Intelligence