containerd Overly Broad Default Permission Vulnerability Allowing Local Privilege Escalation

A vulnerability in containerd, an open-source container runtime, allows local privilege escalation due to overly broad default permissions on several directory paths. Affected versions include 0.1.0 prior to 1.7.28, 2.0.0-beta.0 prior to 2.0.6, 2.1.0-beta.0 prior to 2.1.4, and 2.2.0-beta.0 prior to 2.2.0-rc.1. The vulnerable directories were created with incorrect permissions, allowing local users to access sensitive metadata and content, potentially leading to unauthorized privilege escalation.

Impact

The vulnerability allows local users to access directories with sensitive information, such as the metadata store and content store, which could include setuid binaries. This access could be exploited to elevate privileges on the host.

Remediation

Users can update to containerd versions 2.2.0, 2.1.5, 2.0.7, or 1.7.29, all of which include the necessary permission fixes. Alternatively, containerd can be run in rootless mode, or the system administrator can manually change the directory permissions to remove group or world access.