VMT: add KCSAs for CVE-2020-2024 and CVE-2020-2025 #156
Conversation
| issues: | ||
|
|
||
| links: | ||
| - https://github.com/kata-containers/runtime/issues/2488 |
There was a problem hiding this comment.
This probably needs to be kata-containers/runtime#2487 instead @bergwolf
There was a problem hiding this comment.
The PR link is below in reviews section. This one is the issue link, although it doesn't talk much about the vulnerability.
You need to index them into this table @bergwolf :-) |
VMT/KCSA/KCSA-CVE-2020-2025.md
Outdated
| - View the guest rootfs image on the host and the file can be seen there | ||
|
|
||
| notes: | ||
| - The vulnerability can be used to attack other guests by malicious containers that find other ways to gain control over the guest. And all users running Kata Containers on top of Cloud Hypervisor are recomended to upgrade. |
|
updated. PTAL @amshinde @jodh-intel @devimc @grahamwhaley |
VMT/KCSA/KCSA-CVE-2020-2025.md
Outdated
| When running Kata Containers with Cloud Hypervisor, any change made to root | ||
| filesystem device is written to the underlying .img file. Since the device | ||
| is plugged as read-write, a malicious guest could write to it through | ||
| utilities like debugfs. |
There was a problem hiding this comment.
I believe this is a mistake from my original advisory - debugfs isn't needed if the guest is malicious, the guest can simply create/modify files and the changes will propogate to the image file on the host.
There was a problem hiding this comment.
@yuvalavra malicious guest is a container that found a way to escape from the namespaces in the guest?
There was a problem hiding this comment.
That's how I refer to a guest running malicious code outside the container scope, but perhaps that's not Kata's terminology. It's not necessarily a container that escaped, for example CVE-2020-2025 would result in subsequent guests being malicious without their containers escaping.
My point here is to separate distinct issues: CVE-2020-2025 is exploitable from outside the container, if the container has a way to access the guest - that's a different issue.
There was a problem hiding this comment.
Good point! I've re-phrased it and dropped debugfs.
VMT/KCSA/KCSA-CVE-2020-2024.md
Outdated
| reporters: | ||
|
|
||
| - name: Yuval Avrahami | ||
| affiliation: Yuval Avrahami |
There was a problem hiding this comment.
hi @yuvalavra, which affiliation would you like to be linked to? Generally it can be a company or organization.
bergwolf
force-pushed
the
vmt
branch
2 times, most recently
from
1fc61c0 to
b6de971
Compare
We have fixed them and put the fix in a release. Let's make the announcement. Fixes: kata-containers#155 Signed-off-by: Peng Tao <bergwolf@hyper.sh>
|
@yuvalavra - would you like to do a final check before this is merged? |
|
Thanks @yuvalavra. |
We have fixed them and put the fix in a release. Let's
make the announcement.
/cc @yuvalavra