CVE-2021-41103 : Security Advisory and Response

containerd is an open-source container runtime with a bug that led to insufficiently restricted permissions on plugin directories, enabling unprivileged users to execute programs and access files. This CVE version is 5.0.

Understanding CVE-2021-41103

The vulnerability in containerd affected versions prior to 1.4.11 and between 1.5.0 to 1.5.7, allowing Linux users to exploit directory traversal.

What is CVE-2021-41103?

containerd had a bug with permissions on root directories and plugins, enabling unprivileged users to access and execute programs, potentially compromising system security.

The Impact of CVE-2021-41103

CVSS v3.0 scored this vulnerability 5.9, indicating a medium severity impact. Attack complexity is low, with a local attack vector and low impacts on confidentiality, integrity, and availability.

Technical Details of CVE-2021-41103

The technical aspects of this CVE are as follows:

Vulnerability Description

Insufficiently restricted permissions in containerd plugin directories allowed unauthorized Linux users to traverse directories and execute programs.

Affected Systems and Versions

Versions prior to 1.4.11 and between 1.5.0 to 1.5.7 were affected by this vulnerability.

Exploitation Mechanism

Unprivileged Linux users could exploit the bug by accessing directories with extended permissions, potentially executing privileged programs.

Mitigation and Prevention

Actions to secure systems from this vulnerability:

Immediate Steps to Take

Update containerd to versions 1.4.11 or 1.5.7 to mitigate the bug.
Restart containers or modify directory permissions to limit unauthorized access.

Long-Term Security Practices

Restrict host access to trusted users to limit exposure.

Patching and Updates

Regularly update containerd to the latest versions to ensure protection against known vulnerabilities.