NixOS Security Advisory: Docker Local Privilege Escalation
108 views
Skip to first unread message
Graham Christensen
Apr 3, 2017, 8:21:11 PM4/3/17
to nix-securi...@googlegroups.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Date: 2017-04-03
CVE-ID: CVE-2017-7412
Service: docker
Type: local privilege escalation
Summary
=======
NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
allows local users to gain privileges by executing docker commands.
NixOS 16.09 is not vulnerable.
Resolution
==========
# nix-channel --update
and ensure your NixOS channel is advanced to 17.03.887 or greater.
Workaround
==========
Manually apply socket permission restrictions to the Docker socket. In
your configuration.nix:
systemd.sockets.docker = {
socketConfig.SocketMode = "0660";
socketConfig.SocketUser = "root";
socketConfig.SocketGroup = "docker";
};
Thank You
=========
Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
the vulnerablity and submitting a patch.
References
==========
Fix applied to 17.03:
https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e
Fix applied to unstable:
https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a833339236d
16.09 and older are not affected.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5vEACgkQBhIdNm/p
Q1zpgQ//aJpcTBV8rnFNnITCh8JWXkomtIoz1MIJ9jzlDJc84YIQ/2xvU58Gscv9
nYJ6Gddd4hY67xf8I277TH5P6Fl2dfHH1i7MKwRp8tPJYf0PwyoET/+6Fe7G9Lyq
rQYyuc8XBoHe3Q8SCPEzLcfoZJ0u0q2S1P9oepYWpHES4uP0U4n4t9lGJUhMUk5U
lVapGQarFxn+fjxYBWqUPyU11cb5VsW1FfIyl3/JGl/y0TA8C0KMnLrHLRie9fcc
EWj/5bzWzKRcoPK+jCNljNWFqHFrzzFefM3RqYGWrAFZY6s4qGZRTPdisNVRixYa
7KxxJI6mmrppg+5Z9QufNRkW0ol8swnQRiJ0MtHV4wQ0pQko3JtKr9aMW7/mf5cD
nB4B1Gdcq8LlMZl+qezRt80nftjKOeuDyr1MSErejid+leYRyPB5TvUyIBfm2i7g
yVugHVRLBYo8eEUpn+g3Ff/ym3iulsnhAyWLkkBCvLTms93WdUXaCSpC9j2uO6h6
f7zgJtq7/oLaZG4xEDdkT2XYgHFOJfK7oR4KkWUc/pZ31TSaJVn8eQbTvwMYNYpK
Cryu4iMaj4fu3leQmIDOMK1nNqhIrFiZpUxRPiG/Z9/muNmtTrqXi0m1MmxbJ0Dy
5mnBsEoIrwwr0QURKZLbpSbmX2I+isXAETbAUoOSYsR95BSM5e4=
=g1bM
-----END PGP SIGNATURE-----
Hash: SHA256
Date: 2017-04-03
CVE-ID: CVE-2017-7412
Service: docker
Type: local privilege escalation
Summary
=======
NixOS 17.03 before 17.03.887 has a world-writable Docker socket, which
allows local users to gain privileges by executing docker commands.
NixOS 16.09 is not vulnerable.
Resolution
==========
# nix-channel --update
and ensure your NixOS channel is advanced to 17.03.887 or greater.
Workaround
==========
Manually apply socket permission restrictions to the Docker socket. In
your configuration.nix:
systemd.sockets.docker = {
socketConfig.SocketMode = "0660";
socketConfig.SocketUser = "root";
socketConfig.SocketGroup = "docker";
};
Thank You
=========
Thank you Alexey Shmalko (rasendubi on GitHub) for promptly reporting
the vulnerablity and submitting a patch.
References
==========
Fix applied to 17.03:
https://github.com/NixOS/nixpkgs/commit/6c59d851e2967410cc8fb6ba3f374b1d3efa988e
Fix applied to unstable:
https://github.com/NixOS/nixpkgs/commit/fa4fe7110566d8370983fa81f2b04a833339236d
16.09 and older are not affected.
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEP+htk0GpxXspt+y6BhIdNm/pQ1wFAlji5vEACgkQBhIdNm/p
Q1zpgQ//aJpcTBV8rnFNnITCh8JWXkomtIoz1MIJ9jzlDJc84YIQ/2xvU58Gscv9
nYJ6Gddd4hY67xf8I277TH5P6Fl2dfHH1i7MKwRp8tPJYf0PwyoET/+6Fe7G9Lyq
rQYyuc8XBoHe3Q8SCPEzLcfoZJ0u0q2S1P9oepYWpHES4uP0U4n4t9lGJUhMUk5U
lVapGQarFxn+fjxYBWqUPyU11cb5VsW1FfIyl3/JGl/y0TA8C0KMnLrHLRie9fcc
EWj/5bzWzKRcoPK+jCNljNWFqHFrzzFefM3RqYGWrAFZY6s4qGZRTPdisNVRixYa
7KxxJI6mmrppg+5Z9QufNRkW0ol8swnQRiJ0MtHV4wQ0pQko3JtKr9aMW7/mf5cD
nB4B1Gdcq8LlMZl+qezRt80nftjKOeuDyr1MSErejid+leYRyPB5TvUyIBfm2i7g
yVugHVRLBYo8eEUpn+g3Ff/ym3iulsnhAyWLkkBCvLTms93WdUXaCSpC9j2uO6h6
f7zgJtq7/oLaZG4xEDdkT2XYgHFOJfK7oR4KkWUc/pZ31TSaJVn8eQbTvwMYNYpK
Cryu4iMaj4fu3leQmIDOMK1nNqhIrFiZpUxRPiG/Z9/muNmtTrqXi0m1MmxbJ0Dy
5mnBsEoIrwwr0QURKZLbpSbmX2I+isXAETbAUoOSYsR95BSM5e4=
=g1bM
-----END PGP SIGNATURE-----
Reply all
Reply to author
Forward
0 new messages