CVE-2020-1704

Vulnerability

An insecure modification vulnerability in the /etc/passwd file exists in all versions of OpenShift ServiceMesh (maistra) before 1.0.8, specifically in the openshift/istio-kialia-rhel7-operator-container [1]. The container incorrectly sets permissions on /etc/passwd making it modifiable by users other than root [1]. An attacker with access to the container can exploit this to modify /etc/passwd and escalate their privileges [1].

Exploitation

An attacker requires access to the running container [1]. By default, unprivileged containers on OpenShift Container Platform block the SETUID and SETGID system calls via the default seccomp policy, making exploitation more difficult [1]. However, if the attacker can bypass these restrictions or if the container runs with a less restrictive policy, the attacker can modify /etc/passwd to add a new user or alter existing entries, thereby gaining elevated privileges [1].

Impact

Successful exploitation allows the attacker to escalate their privileges within the container, potentially gaining root access or the ability to run commands as other users [1]. This could lead to further compromise of the container or the underlying host, depending on the container's security context [1].

Mitigation

Update OpenShift ServiceMesh (maistra) to version 1.0.8 or later, which fixes the incorrect permissions on /etc/passwd [1]. If immediate patching is not possible, ensure that containers run with the default seccomp policy that blocks SETUID and SETGID system calls, which mitigates the exploitability in standard OpenShift deployments [1].