Bugcrowd Big Bugs: BitBucket Pipelines Kata Containers Build Container Escape

Atlassian ran a project on Bugcrowd looking for bugs in their proposed implementation of Kata Containers within the Bitbucket Pipelines CI/CD environment.

Within the project, Researcher Alex Chapman (axjchapman) identified a vulnerability in Kata Containers which could allow processes running in the Kata VM to write to supposedly read-only volume mounts. Exploiting this vulnerability allowed a malicious build job to write semi-controlled data to arbitrary files on the host system as the root user.

This vulnerability was fixed by the Kata Containers team and assigned CVE-2020-28914.

Continue reading on www.bugcrowd.com...

Daily Swig - Container security: Privilege escalation bug patched in Docker Engine

A vulnerability in a Docker Engine security feature potentially allowed attackers to escalate privileges from a remapped user to root.

“The two avenues of exploitation I found would allow writing of arbitrary files as the real root user” or seizing ownership of files previously accessible only by the root user, security researcher Alex Chapman, who unearthed the flaw, tells The Daily Swig.

Continue reading on portswigger.net...

Moby - Access to remapped root allows privilege escalation to real root

In Docker before versions 9.03.15, 20.10.3 there is a vulnerability involving the –userns-remap option in which access to remapped root allows privilege escalation to real root. When using “–userns-remap”, if the root user in the remapped namespace has access to the host filesystem they can modify files under “/var/lib/docker/" that cause writing files with extended privileges. Versions 20.10.3 and 19.03.15 contain patches that prevent privilege escalation from remapped user.

Continue reading on github.com...

Kata Containers `hostPath` file write

Bugcrowd bug report to a Private Program: Kata Containers was found to be vulnerable to an issue allowing Kata VMs to write to hostPath mount points which should have been read only. This issue was fixed in the Kata Containers project and assigned CVE-2020-28914.

Continue reading on bugcrowd.com...

Kata Containers - Improper file permissions for read-only volumes

An improper file permissions vulnerability affects Kata Containers prior to 1.11.5. When using a Kubernetes hostPath volume and mounting either a file or directory into a container as readonly, the file/directory is mounted as readOnly inside the container, but is still writable inside the guest. For a container breakout situation, a malicious guest can potentially modify or delete files/directories expected to be read-only.

Continue reading on github.com...

Daily Swig - Collaborative bug hunting ‘could be very lucrative’ – security pro Alex Chapman on the future of ethical hacking

“It all started with a Commodore 64, but Alex Chapman’s passion for programming crystalized into an interest in ethical hacking following a careers advice day at university.

Since graduating in computer science in 2007, the London-based vulnerability researcher has worked in pen testing, red teaming, and security research during stints at Deloitte, Context Information Security, and Yahoo.”

Continue reading on portswigger.net...

GitLab - Command injection on runner host

A command injection vulnerability was discovered in Gitlab runner versions prior to 13.2.4, 13.3.2 and 13.4.1. When the runner is configured on a Windows system with a docker executor, which allows the attacker to run arbitrary commands on Windows host, via DOCKER_AUTH_CONFIG build variable.

Continue reading on about.gitlab.com...