Youki Libcontainer Tenant Builder Capabilities Elevation Vulnerability

A vulnerability in the Youki libcontainer's tenant container builder allows for elevation of Linux process capabilities. This issue arises because the builder can unintentionally inherit and elevate capabilities from the main container, particularly if user-provided capabilities are added. The vulnerability is present in libcontainer versions prior to 0.5.3 and does not affect the Youki binary itself. The issue is similar to a previously reported vulnerability in runc, CVE-2022-29162, which also involved improper handling of inherited capabilities.

Impact

Exploitation of this vulnerability can lead to unauthorized elevation of capabilities in the tenant container, allowing processes to gain additional privileges they should not have.

Reproduction

To reproduce this vulnerability, create a tenant container using the libcontainer tenant builder version prior to 0.5.3. Pass a list of capabilities to be added to the tenant container. The builder will inherit capabilities from the main container, potentially leading to an elevation of privileges. This can be verified by checking the capabilities of the processes running in the tenant container, which may have been improperly elevated due to the inherited capabilities from the main container.

Remediation

Users can update to libcontainer version 0.5.3 or later, where this vulnerability has been fixed. If an immediate update is not possible, do not pass user-provided capabilities to the tenant builder, or verify and filter the capabilities before setting them on the tenant container.