Full Report
The author found a vulnerability with the usage of Linux containers and permissions. The standard Linux permissions are read (r), write (w) and execute (x). These permissions are put onto the owner, group and others in that order. A user can be in several groups. Finally, there are ways to allow somebody to run code as another user - setuid or setguid. In Linux, there is the concept of negative group permissions. By setting the file permissions to have nothing on as the group, then all users within the files group cannot perform actions on the file. This allows for the building of a denylist for a particular object. Can you drop from a group to get access to a file though? By default, this is not possible because the checks happen on the supplementary (additional) groups of the user, which the primary group is added to as well. In containers, the action of copying the primary group to the supplemental group is NOT done though. As a result, by running a program with set-group permissions to add permissions to the supplemental group, allowing the primary group to be dropped. In this state, they could perform actions on a file with negative permissions. The vulnerability was found in Podman, Buildah, cri-o and the Docker Engine. A fix should be in the specification and the actual implementations as well. The author puts a few fixes for this, including using su -l for the user and duplicating the group manually. Overall, wonderful post!
Analysis Summary
# Vulnerability: Container Runtime Improper Group Initialization Leading to Privilege Escalation via Negative Group Permissions
## CVE Details
- CVE ID: CVE-2022-2989, CVE-2022-2990, CVE-2022-2995, CVE-2022-36109
- CVSS Score: *Not explicitly provided in the text; severity must be inferred or obtained from vendor advisories. Given the context of privilege escalation potentially bypassing access controls, this vulnerability is likely **High**.*
- CWE: CWE-277 (Improper Restriction of Permissions on Named Pipe) or a related access control flaw.
## Affected Systems
- Products: Podman, Buildah, cri-o, Docker Engine (Moby)
- Versions: Specific vulnerable versions are not listed, but remediation implies versions prior to patch release.
- Configurations: Applicable when utilizing Linux container runtimes where negative group permissions are configured on files, and the container runtime fails to correctly initialize user/group context during process execution within the container.
## Vulnerability Description
The vulnerability stems from a deviation in how container runtimes initialize user group context compared to standard Linux processes (like those started via `su -l`). In standard Linux environments, when a user's session starts, the primary group ID is automatically added to the set of supplementary groups.
In the affected container runtimes, this step of copying the primary group ID to the supplementary group list **is not performed by default**.
This omission can be abused in conjunction with **set-group ID programs** and **negative group permissions**. If an object has negative group permissions (meaning members of the object's assigned group are explicitly denied access), a user inside a container could potentially execute a set-group program that modifies the user's supplementary group list. If the primary group hasn't been added to the supplemental list (due to the container runtime omission), the attacker can execute a program that adds a target group to the supplementary list, allowing them to drop or bypass their primary group membership association. By manipulating their group context, the attacker can then execute an action that requires permission granted via a set-group program operating under a specific group context, which might otherwise have been blocked because their primary group was implicitly the one possessing the "denied" permission via negative group permissions. The core issue is the lack of duplication of the primary group into the supplemental group list within the container initialization process.
## Exploitation
- Status: *Not explicitly stated as exploited in the wild, but PoC development is implied by researcher findings.*
- Complexity: **Medium** (Requires understanding of Linux permissions, negative permissions, setuid/setgid mechanisms, and container runtime group handling discrepancies).
- Attack Vector: **Local** (Requires ability to run code within a container context).
## Impact
- Confidentiality: **High** (Potential to read restricted files if negative permissions were set).
- Integrity: **High** (Potential to write or execute files they should not have access to).
- Availability: **Medium** (Depends on the nature of the affected files).
## Remediation
### Patches
Patches should be available in updated versions of Podman, Buildah, cri-o, and the Docker Engine (Moby). Users must consult vendor advisories for specific patched versions corresponding to the mentioned CVEs.
### Workarounds
1. **Manual Group Duplication:** Manually ensuring the primary group is included in the supplementary group list when setting up the container user context.
2. **Using `su -l`:** Utilizing commands like `su -l` when changing user context, as this command correctly performs the group duplication sequence inherent in a full login shell initialization.
## Detection
- Indicators of Compromise: Unexpected changes in file access patterns or attempts to execute binaries with elevated group privileges inside the container scope, especially related to files configured with negative permissions for the process's actual group membership.
- Detection methods and tools: Monitoring container entry points and user initialization sequences for deviations from standard Linux group addition logic. Auditing file permission changes, particularly on sensitive files protected by negative group permissions.
## References
- Vendor Advisories:
- Red Hat Security Advisory for CVE-2022-2989 (Podman) - defanged: `hXXps://access.redhat.com/security/cve/cve-2022-2989`
- Red Hat Security Advisory for CVE-2022-2990 (Buildah) - defanged: `hXXps://access.redhat.com/security/cve/cve-2022-2990`
- Red Hat Security Advisory for CVE-2022-2995 (cri-o) - defanged: `hXXps://access.redhat.com/security/cve/cve-2022-2995`
- Moby/Docker Security Advisory for CVE-2022-36109 - defanged: `hXXps://github.com/moby/moby/security/advisories/GHSA-rc4r-wh2q-q6c4`
- Relevant links: Summary article - defanged: `hXXps://www.benthamsgaze.org/2022/08/22/vulnerability-in-linux-containers-investigation-and-mitigation/`