CVE-2021-32760 : What You Need to Know
Learn about CVE-2021-32760, a critical vulnerability in containerd allowing unauthorized changes to file permissions during the extraction of container images, impacting host filesystem security.
A bug in containerd versions <= 1.4.7 and >= 1.5.0, <= 1.5.3 allows changing Unix file permissions when pulling a specially-crafted container image. This can alter host filesystem permissions, impacting file access. The bug has been addressed in containerd 1.4.8 and 1.5.4. Users are advised to pull images from trusted sources, and Linux security modules like SELinux and AppArmor can further mitigate risks.
Understanding CVE-2021-32760
This vulnerability affects containerd, a container runtime, by enabling unauthorized changes to file permissions during image extraction.
What is CVE-2021-32760?
A bug in containerd versions <= 1.4.7 and >= 1.5.0, <= 1.5.3 allows alterations to Unix file permissions during the extraction of a specially-crafted container image. This can lead to unintended changes in the host's file permissions.
The Impact of CVE-2021-32760
The vulnerability can result in changes that deny access to file owners, expand access to unauthorized users, or apply extended permission bits, though it does not allow direct file execution or modification without additional cooperating processes.
Technical Details of CVE-2021-32760
The CVSS v3.1 base score for this vulnerability is 5 with a medium severity level. It has a high attack complexity, network-based attack vector, and requires user interaction, but no special privileges.
Vulnerability Description
The bug in containerd enables changes to file permissions during the extraction of manipulated container images, potentially impacting the host filesystem.
Affected Systems and Versions
containerd versions prior to 1.4.8 and 1.5.4 are affected by this vulnerability.
Exploitation Mechanism
Pulling and extracting a specially-crafted container image triggers this bug, leading to changes in Unix file permissions.
Mitigation and Prevention
To mitigate the CVE-2021-32760 vulnerability:
Immediate Steps to Take
Ensure container image pulls are only from trusted sources to minimize the risk of exploitation.
Long-Term Security Practices
Consider implementing Linux security modules (LSMs) like SELinux and AppArmor to enforce policies that restrict containerd from interacting with critical files.
Patching and Updates
Upgrade to containerd versions 1.4.8 and 1.5.4 to patch the vulnerability and prevent unauthorized permission changes.