Debian DLA-442-1 : lxc security update

high Nessus Plugin ID 89042

Synopsis

The remote Debian host is missing a security update.

Description

Brief introduction

CVE-2013-6441

The template script lxc-sshd used to mount itself as /sbin/init in the container using a writable bind-mount.

This update resolved the above issue by using a read-only bind-mount instead preventing any form of potentially accidental damage.

CVE-2015-1335

On container startup, lxc sets up the container's initial file system tree by doing a bunch of mounting, guided by the container's configuration file.

The container config is owned by the admin or user on the host, so we do not try to guard against bad entries.
However, since the mount target is in the container, it's possible that the container admin could divert the mount with symbolic links. This could bypass proper container startup (i.e. confinement of a root-owned container by the restrictive apparmor policy, by diverting the required write to /proc/self/attr/current), or bypass the (path-based) apparmor policy by diverting, say, /proc to /mnt in the container.

This update implements a safe_mount() function that prevents lxc from doing mounts onto symbolic links.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected lxc package.

See Also

https://lists.debian.org/debian-lts-announce/2016/02/msg00033.html

https://packages.debian.org/source/squeeze-lts/lxc

Plugin Details

Severity: High

ID: 89042

File Name: debian_DLA-442.nasl

Version: 2.8

Type: local

Agent: unix

Published: 3/1/2016

Updated: 1/11/2021

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.2

Temporal Score: 5.3

Vector: CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:lxc, cpe:/o:debian:debian_linux:6.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 2/29/2016

Reference Information

CVE: CVE-2013-6441, CVE-2015-1335

BID: 65562