Spoofing attack in containerd (Alpine package)

1) Spoofing attack

EUVDB-ID: #VU24254

Risk: High

CVSSv4.0: 8.5 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/U:Amber]

CVE-ID: CVE-2020-0601

CWE-ID: CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to the way Windows CryptoAPI (Crypt32.dll) validates Elliptic Curve Cryptography (ECC) certificates. A remote attacker can use a spoofed code-signing certificate to sign a malicious executable, make it appear the file was from a trusted, legitimate source, trick a victim to open it and gain access to sensitive information.

Mitigation

Install update from vendor's website.

Vulnerable software versions

containerd (Alpine package): 1.2.2-r0 - 1.3.2-r1

CPE2.3

• cpe:2.3:o:alpine:containerd_alpine_package:1.2.2-r0:*:*:*:*:alpine_linux:*:3.9
• cpe:2.3:o:alpine:containerd_alpine_package:1.2.3-r0:*:*:*:*:alpine_linux:*:3.9
• cpe:2.3:o:alpine:containerd_alpine_package:1.2.4-r0:*:*:*:*:alpine_linux:*:3.9

External links

https://git.alpinelinux.org/aports/commit/?id=c64d2552678a7126d5e1d18ac54ea0ee126298d9
https://git.alpinelinux.org/aports/commit/?id=3b2d519d19eed612aeaf0a62ee9003e23cbe7c2f

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.