#VU26515 UNIX symbolic link following in Podman - CVE-2019-18466

Cybersecurity Help s.r.o.

Published: 2020-04-01

Vulnerability identifier: #VU26515

Vulnerability risk: Medium

CVSSv4.0: 2.1 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2019-18466

CWE-ID: CWE-61

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Podman
Universal components / Libraries / Libraries used by multiple products

Vendor: Container Projects

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to a symlink following issue in libpod (podman) in the host context during a copy operation from the container to the host, because an undesired glob operation occurs. An attacker could create a container image containing particular symlinks that, when copied by a victim user to the host filesystem, may overwrite existing files with others from the host.

Successful exploitation of this vulnerability may result in privilege escalation on the host operating system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Podman: 0.2 - 1.5.1

External links
https://access.redhat.com/errata/RHSA-2019:4269
https://bugzilla.redhat.com/show_bug.cgi?id=1744588
https://github.com/containers/libpod/commit/5c09c4d2947a759724f9d5aef6bac04317e03f7e
https://github.com/containers/libpod/compare/v1.5.1...v1.6.0
https://github.com/containers/libpod/issues/3829

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

OpenSUSE Linux update for cni, cni-plugins, conmon, fuse-overlayfs, podman

Red Hat Enterprise Linux 7 Extras update for podman

Privilege escalation in Podman