Vulnerability Name:

CVE-2021-43816 (CCN-216854)

Assigned:2021-11-16
Published:2022-01-05
Updated:2022-04-01
Summary:containerd is an open source container runtime. On installations using SELinux, such as EL8 (CentOS, RHEL), Fedora, or SUSE MicroOS, with containerd since v1.5.0-beta.0 as the backing container runtime interface (CRI), an unprivileged pod scheduled to the node may bind mount, via hostPath volume, any privileged, regular file on disk for complete read/write access (sans delete). Such is achieved by placing the in-container location of the hostPath volume mount at either `/etc/hosts`, `/etc/hostname`, or `/etc/resolv.conf`. These locations are being relabeled indiscriminately to match the container process-label which effectively elevates permissions for savvy containers that would not normally be able to access privileged host files. This issue has been resolved in version 1.5.9. Users are advised to upgrade as soon as possible.
CVSS v3 Severity:9.1 Critical (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)
7.9 High (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
8.0 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)
7.0 High (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): High
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:6.0 Medium (CVSS v2 Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Partial
Integrity (I): Partial
Availibility (A): Partial
7.1 High (CCN CVSS v2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): Single_Instance
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-281
Vulnerability Consequences:Gain Privileges
References:Source: MITRE
Type: CNA
CVE-2021-43816

Source: XF
Type: UNKNOWN
containerd-cve202143816-priv-esc(216854)

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/containerd/containerd/commit/a731039238c62be081eb8c31525b988415745eea

Source: MISC
Type: Exploit, Issue Tracking, Third Party Advisory
https://github.com/containerd/containerd/issues/6194

Source: CCN
Type: containerd GIT Repository
containerd CRI plugin: Unprivileged pod using `hostPath` can side-step SELinux

Source: CONFIRM
Type: Third Party Advisory
https://github.com/containerd/containerd/security/advisories/GHSA-mvff-h3cj-wj9c

Source: MISC
Type: Patch, Third Party Advisory
https://github.com/dweomer/containerd/commit/f7f08f0e34fb97392b0d382e58916d6865100299

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-f668c3d70d

Source: FEDORA
Type: Mailing List, Third Party Advisory
FEDORA-2022-a0b2a4d594

Source: CCN
Type: IBM Security Bulletin 6991633 (Edge Application Manager)
Open Source Dependency Vulnerability

Vulnerable Configuration:Configuration 1:
  • cpe:/a:linuxfoundation:containerd:1.5.0:-:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:beta0:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:beta1:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:beta2:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:beta3:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:beta4:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:rc0:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:rc1:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:rc2:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.0:rc3:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:*:*:*:*:*:*:*:* (Version >= 1.5.1 and < 1.5.9)

    • Configuration 2:
  • cpe:/o:fedoraproject:fedora:34:*:*:*:*:*:*:*
  • OR cpe:/o:fedoraproject:fedora:35:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:linuxfoundation:containerd:1.5.0:-:*:*:*:*:*:*
  • OR cpe:/a:linuxfoundation:containerd:1.5.8:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    linuxfoundation containerd 1.5.0 -
    linuxfoundation containerd 1.5.0 beta0
    linuxfoundation containerd 1.5.0 beta1
    linuxfoundation containerd 1.5.0 beta2
    linuxfoundation containerd 1.5.0 beta3
    linuxfoundation containerd 1.5.0 beta4
    linuxfoundation containerd 1.5.0 rc0
    linuxfoundation containerd 1.5.0 rc1
    linuxfoundation containerd 1.5.0 rc2
    linuxfoundation containerd 1.5.0 rc3
    linuxfoundation containerd *
    fedoraproject fedora 34
    fedoraproject fedora 35
    linuxfoundation containerd 1.5.0 -
    linuxfoundation containerd 1.5.8