8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-43816

GHSA ID

GHSA-mvff-h3cj-wj9c

EPSS Score

0.37093%

CWE

CWE-281

Published

1/6/2022

Updated

2/3/2023

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-43816

CVE-2021-43816:
Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux

Impact

Containers launched through containerd’s CRI implementation on Linux systems which use the SELinux security module and containerd versions since v1.5.0 can cause arbitrary files and directories on the host to be relabeled to match the container process label through the use of specially-configured bind mounts in a hostPath volume. This relabeling elevates permissions for the container, granting full read/write access over the affected files and directories. Kubernetes and crictl can both be configured to use containerd’s CRI implementation.

If you are not using containerd’s CRI implementation (through one of the mechanisms described above), you are not affected by this issue.

Patches

This bug has been fixed in containerd 1.5.9. Because file labels persist independently of containerd, users should both update to these versions as soon as they are released and validate that all files on their host are correctly labeled.

Workarounds

Ensure that no sensitive files or directories are used as a hostPath volume source location. Policy enforcement mechanisms such a Kubernetes Pod Security Policy AllowedHostPaths may be specified to limit the files and directories that can be bind-mounted to containers.

For more information

If you have any questions or comments about this advisory:

Open an issue in containerd
Email us at security@containerd.io

(GitHub Advisory)

8.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-43816

GHSA ID

GHSA-mvff-h3cj-wj9c

EPSS Score

0.37093%

CWE

CWE-281

Published

1/6/2022

Updated

2/3/2023

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/containerd/containerd	go	>= 1.5.0, < 1.5.9	1.5.9

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability arises from improper SELinux labeling of hostPath-mounted files. The commit a731039 introduced WithRelabeledContainerMounts to explicitly relabel /etc/hosts, /etc/hostname, and /etc/resolv.conf. Before this fix, the WithMounts function (spec_linux.go) handled mount creation without this relabeling, and the containerSpec function (container_create_linux.go) did not include the relabeling step in the specOpts chain. These omissions allowed containers to relabel host files via hostPath mounts, leading to privilege escalation. The high confidence stems from the patch directly addressing these two code paths by adding the missing relabeling logic.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *ont*in*rs l*un**** t*rou** *ont*in*r*’s *RI impl*m*nt*tion on Linux syst*ms w*i** us* t** S*Linux s**urity mo*ul* *n* *ont*in*r* v*rsions sin** v*.*.* **n **us* *r*itr*ry *il*s *n* *ir**tori*s on t** *ost to ** r*l***l** to m*t** t** *on

Reasoning

T** vuln*r**ility *ris*s *rom improp*r S*Linux l***lin* o* *ostP*t*-mount** *il*s. T** *ommit ******* intro*u*** Wit*R*l***l***ont*in*rMounts to *xpli*itly r*l***l /*t*/*osts, /*t*/*ostn*m*, *n* /*t*/r*solv.*on*. ***or* t*is *ix, t** Wit*Mounts *un*t

8.1

Basic Information

Concerned about an active attack path?

CVE-2021-43816: Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux

Impact

Patches

Workarounds

For more information

8.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2021-43816:
Unprivileged pod using `hostPath` can side-step active LSM when it is SELinux

Vulnerability Intelligence
Miggo AI