3.6
CVSSv2

CVE-2020-15257

Published: 01/12/2020 Updated: 17/03/2021
CVSS v2 Base Score: 3.6 | Impact Score: 4.9 | Exploitability Score: 3.9
CVSS v3 Base Score: 5.2 | Impact Score: 2.7 | Exploitability Score: 2
Vector: AV:L/AC:L/Au:N/C:P/I:P/A:N

Vulnerability Summary

containerd is an industry-standard container runtime and is available as a daemon for Linux and Windows. In containerd prior to 1.3.9 and 1.4.3, the containerd-shim API is improperly exposed to host network containers. Access controls for the shim’s API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket. This would allow malicious containers running in the same network namespace as the shim, with an effective UID of 0 but otherwise reduced privileges, to cause new processes to be run with elevated privileges. This vulnerability has been fixed in containerd 1.3.9 and 1.4.3. Users should update to these versions as soon as they are released. It should be noted that containers started with an old version of containerd-shim should be stopped and restarted, as running containers will continue to be vulnerable even after an upgrade. If you are not providing the ability for untrusted users to start containers in the same network namespace as the shim (typically the "host" network namespace, for example with docker run --net=host or hostNetwork: true in a Kubernetes pod) and run with an effective UID of 0, you are not vulnerable to this issue. If you are running containers with a vulnerable configuration, you can deny access to all abstract sockets with AppArmor by adding a line similar to deny unix addr=@**, to your policy. It is best practice to run containers with a reduced set of privileges, with a non-zero UID, and with isolated namespaces. The containerd maintainers strongly advise against sharing namespaces with the host. Reducing the set of isolation mechanisms used for a container necessarily increases that container's privilege, regardless of what container runtime is used for running that container.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.

Vulnerability Trend

Vulnerable Product Search on Vulmon Subscribe to Product

Vendor Advisories

Arch Linux Security Advisory ASA-202012-8 ========================================= Severity: High Date : 2020-12-05 CVE-ID : CVE-2020-15257 Package : containerd Type : privilege escalation Remote : No Link : securityarchlinuxorg/AVG-1309 Summary ======= The package containerd before version 143-1 is vulnerable to privileg ...
In containerd before versions 139 and 143, the containerd-shim API is improperly exposed to host network containers Access controls for the shim's API socket verified that the connecting process had an effective UID of 0, but did not otherwise restrict access to the abstract Unix domain socket This would allow malicious containers running in ...
Multiple security issues were discovered in Docker, a Linux container runtime, which could result in denial of service, an information leak or privilege escalation For the stable distribution (buster), these problems have been fixed in version 18091+dfsg1-71+deb10u3 We recommend that you upgrade your dockerio packages For the detailed securi ...

Github Repositories

exploits-open Available exploits CVE-2020-15257 Available proof of concepts

CDK is an open-sourced container penetration toolkit, offering stable exploitation in different slimmed containers without any OS dependency. It comes with penetration tools and many powerful PoCs/EXPs helps you to escape container and takeover K8s cluster easily.

CDK - Zero Dependency Container Penetration Toolkit English | 简体中文 Legal Disclaimer Usage of CDK for attacking targets without prior mutual consent is illegal CDK is for security testing purposes only Overview CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency It c

CDK - Zero Dependency Container Penetration Toolkit English | 简体中文 Legal Disclaimer Usage of CDK for attacking targets without prior mutual consent is illegal CDK is for security testing purposes only Overview CDK is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency It c

Docker Security Checklist For a more thorough checklist please refer to the latest Docker CIS benchmark Patching Ensure you patch your Docker daemon/containerd etc to protect against escape CVEs such as CVE-2019-5736 CVE-2019-14271 CVE-2020–15257 Follow appropriate Docker security updates Image security Conduct image vulnerability scanning using an appropriate scann

Awesome Container Escape Collections of container escape techniques Container Escape Techniques Name Type Info Status CVE-2016-5195 vuln/kernel CVE-2020-14386 vuln/kernel CVE-2018-15664 vuln/docker CVE-2019-14271 vuln/docker CVE-2019-5736 vuln/runc CVE-2017-1002101 vuln/k8s CVE-2018-1002105 vuln/k8s CVE-2020-8558 vuln/k8s CVE-2020-15257 v

中文 | English 1 Introduction Metarget = meta- + target, a framework providing automatic constructions of vulnerable infrastructures, used to deploy simple or complicated vulnerable cloud native targets swiftly and automatically 11 Why Metarget? During security researches, we might find that the deployment of vulnerable environment often takes much time, while the time spen

前言 基于零组公开漏洞库 如何添加新的文章 先检查本地仓库是否为最新版本 找到对应分类或新建分类,新建Markdown文件,文件名为漏洞标题 Markdown文件内添加漏洞详情 图片保存到当前Markdown文件路径下的`/resource/文件名/mdeia/` 目录,Markdown插入时使用相对路径 按时间倒序在Change Log中添

在线漏洞平台

前言 基于零组公开漏洞库 如何添加新的文章 先检查本地仓库是否为最新版本 找到对应分类或新建分类,新建Markdown文件,文件名为漏洞标题 Markdown文件内添加漏洞详情 图片保存到当前Markdown文件路径下的`/resource/文件名/mdeia/` 目录,Markdown插入时使用相对路径 按时间倒序在Change Log中添

此项目将不定期从棱角社区对外进行公布一些最新漏洞。

Vulnerability 纪念我们始终热爱的 来人皆是朋友 去人也不留 © Edge Security Team Anchor CMS 0127 跨站请求伪造(CVE-2020-23342) Apache Kylin API未授权访问漏洞(CVE-2020-13937) Apache NiFi Api 远程代码执行(RCE) Bypass for Microsoft Exchange远程代码执行 CVE-2020-16875 CISCO ASA任意文件读取漏洞 (CVE-2020-3452) CNVD-20

2020年发布到阿尔法实验室微信公众号的所有安全资讯汇总

欢迎关注阿尔法实验室微信公众号 20201231 [漏洞] 2020年增加的10个最严重的CVE blogdetectifycom/2020/12/30/top-10-critical-cves-added-in-2020/ Chromium RawClipboardHostImpl中的UAF漏洞 bugschromiumorg/p/chromium/issues/detail?id=1101509 [工具] Sarenka:OSINT工具,将来自shodan、censys等服务的数据集中在一处

PoC in GitHub 2021 CVE-2021-1056 (2021-01-07) NVIDIA GPU Display Driver for Linux, all versions, contains a vulnerability in the kernel mode layer (nvidiako) in which it does not completely honor operating system file system permissions to provide GPU device-level isolation, which may lead to denial of service or information disclosure pokerfaceSad/CVE-2021-1056 CVE-2021-

Recent Articles

The Register

Kubecon A session on how to hack into a Kubernetes cluster was among the highlights of a Kubecon where the main events were generally bland and corporate affairs, perhaps indicative of the technology now being a de facto infrastructure standard among enterprises.
Kubecon Europe took place online last week with more than 27,000 attendees, according to Chris Aniszczyk, CTO of the Cloud Native Computing Foundation (CNCF), which hosts the Kubernetes project among many others.
That is a s...