Miggo Logo

CVE-2023-25809:
rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc

2.5

CVSS Score

Basic Information

EPSS Score
-
Published
3/30/2023
Updated
3/30/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/opencontainers/runcgo< 1.1.51.1.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from how cgroupv2 mounts are handled in rootless mode. The original mountCgroupV2 function attempted to bind-mount cgroup paths without properly enforcing read-only permissions when cgroupns wasn't unshared. The commit diff shows critical changes to this function's error handling path, adding proper masking and read-only enforcement. The CWE-281 (Improper Preservation of Permissions) mapping confirms this is a permissions preservation issue in mount handling. The added integration test in mounts.bats specifically validates the read-only enforcement, further confirming this function was the source of the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t It w*s *oun* t**t rootl*ss run* m*k*s `/sys/*s/**roup` writ**l* in *ollowin* *on*itons: *. w**n run* is *x**ut** insi** t** us*r n*m*sp***, *n* t** `*on*i*.json` *o*s not sp**i*y t** **roup n*m*sp*** to ** uns**r** (*.*.., `(*o*k*r|po*m*n|

Reasoning

T** vuln*r**ility st*ms *rom *ow **roupv* mounts *r* **n*l** in rootl*ss mo**. T** ori*in*l mount**roupV* *un*tion *tt*mpt** to *in*-mount **roup p*t*s wit*out prop*rly *n*or*in* r***-only p*rmissions w**n **roupns w*sn't uns**r**. T** *ommit *i** s*