containerd supplementary groups are not set up properly
CVE-2023-25173
What is CVE-2023-25173?
A significant vulnerability exists in the open-source container runtime, containerd, which improperly handles supplementary groups when operating within containers. If an attacker gains direct access to a container, they can manipulate supplementary group permissions, potentially bypassing primary group restrictions. This flaw could lead to unauthorized access to sensitive information or even unauthorized code execution within the affected container. Users are strongly advised to upgrade to containerd versions 1.6.18 or 1.5.18 and recreate their containers. Additionally, when utilizing the containerd client library in downstream applications, it is essential to verify for any specific advisories and implement necessary precautions. As a temporary workaround, it is recommended not to use the 'USER $USERNAME' instruction in Dockerfile, but rather substitute it with a secure entrypoint configuration using 'ENTRYPOINT ["su", "-", "user"]' to ensure proper supplementary group setup.
Affected Version(s)
containerd < 1.5.18 < 1.5.18
containerd >= 1.6.0, < 1.6.18 < 1.6.0, 1.6.18