Re: Re: cve request: systemd-machined: information exposure for docker containers

[Christian Rebischke <Chris.Rebischke () archlinux org>]

On Tue, Jul 26, 2016 at 03:24:13PM -0400, cve-assign () mitre org wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> > Once docker containers register themselves to systemd-machined
> > by oci-register-machine. Any unprivileged user could run
> > machinectl to list every single containers running in the host
> > even if the containers do not belong to this user (including containers
> > belong to the root user), and access sensitive information associated
> > with any individual container including its internal IP address, OS
> > version, running processes, and file path for its rootfs.
> >
> > $ machinectl status cc8d10c7b9892b75843d200d54d34a3a
> > cc8d10c7b9892b75843d200d54d34a3a(63633864313063376239383932623735)
> >            Since: Mon 2016-07-25 17:55:36 UTC; 34s ago
> >           Leader: 43494 (sleep)
> >          Service: docker; class container
> >             Root: /var/mnt/overlay/overlay/0429684e3da515ae4f11b8514c7b20f759613
> >          Address: 172.17.0.2
> >                   fe80::42:acff:fe11:2
> >               OS: Red Hat Enterprise Linux Server 7.2 (Maipo)
> >             Unit: docker-cc8d10c7b9892b75843d200d54d34a3a9435fe0f65527c254ebfd2d
> >                   43494 sleep 3000
>
> Use CVE-2016-6349.

Hello,
I don't think that the bug for this problem lies in systemd.
It's more a design mistake in docker or oci-register-machine.
I have forwarded this issue to the systemd developer team and I don't
think they will fix this in the future. In their opinion it's a
bug in docker or oci-register-machine:

https://github.com/systemd/systemd/issues/3815

by the way.. I would feel glad if the security researchers would first
message the developers and then assign a CVE a bug. This is the normal
way for a full disclosure.

best regards,

Christian Rebischke

Attachment: signature.asc
Description: