Crun Privilege Escalation Vulnerability via Incorrect User Option Parsing
Vulnerability
A privilege escalation vulnerability exists in the open-source OCI container runtime 'crun', specifically in versions 1.19 through 1.26. The issue arises in the 'crun exec' command when the '-u' or '--user' option is used. The runtime misinterprets the value '1', treating it as UID 0 and GID 0 instead of the correct UID 1 and GID 0. This misinterpretation allows processes to execute with unintended elevated privileges. The vulnerability has been addressed in version 1.27.
Impact
Exploitation of this vulnerability allows for unauthorized privilege escalation, with processes running under the root user instead of the intended user.
Reproduction
The vulnerability can be reproduced on a Fedora 43 system. After creating a user and starting a container with 'podman', the 'crun exec' command can be used with the '-u' option set to '1'. This will return '0', indicating that the process is running with root privileges instead of the expected user privileges.
Remediation
Users can upgrade to 'crun' version 1.27, which fixes the user option parsing issue. This version is available on the 'crun' GitHub releases page.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.