CVE-2020-14300 - Improper Check for Dropped Privileges

Severity

88%

Complexity

20%

Confidentiality

100%

The docker packages version docker-1.13.1-108.git4ef4b30.el7 as released for Red Hat Enterprise Linux 7 Extras via RHBA-2020:0053 (https://access.redhat.com/errata/RHBA-2020:0053) included an incorrect version of runc that was missing multiple bug and security fixes. One of the fixes regressed in that update was the fix for CVE-2016-9962, that was previously corrected in the docker packages in Red Hat Enterprise Linux 7 Extras via RHSA-2017:0116 (https://access.redhat.com/errata/RHSA-2017:0116). The CVE-2020-14300 was assigned to this security regression and it is specific to the docker packages produced by Red Hat. The original issue - CVE-2016-9962 - could possibly allow a process inside container to compromise a process entering container namespace and execute arbitrary code outside of the container. This could lead to compromise of the container host or other containers running on the same container host. This issue only affects a single version of Docker, 1.13.1-108.git4ef4b30, shipped in Red Hat Enterprise Linux 7. Both earlier and later versions are not affected.

CVSS 3.1 Base Score 8.8. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H).

CVSS 2.0 Base Score 4.6. CVSS Attack Vector: local. CVSS Attack Complexity: low. CVSS Vector: (AV:L/AC:L/Au:N/C:P/I:P/A:P).

Demo Examples

Improper Check for Dropped Privileges

CWE-273

This code attempts to take on the privileges of a user before creating a file, thus avoiding performing the action with unnecessarily high privileges:


               
}
/../

The call to ImpersonateNamedPipeClient may fail, but the return value is not checked. If the call fails, the code may execute with higher privileges than intended. In this case, an attacker could exploit this behavior to write a file to a location that the attacker does not have access to.

Overview

First reported 4 years ago

2020-07-13 22:15:00

Last updated 4 years ago

2020-07-21 19:32:00

Affected Software

Docker 1.13.1

1.13.1

RedHat Enterprise Linux Server 7.0

7.0

References

https://access.redhat.com/errata/RHBA-2020:0427

https://access.redhat.com/security/cve/CVE-2016-9962

https://access.redhat.com/security/vulnerabilities/cve-2016-9962

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9962

https://access.redhat.com/errata/RHBA-2020:0427

Vendor Advisory

https://access.redhat.com/security/cve/CVE-2016-9962

Not Applicable

https://access.redhat.com/security/vulnerabilities/cve-2016-9962

Not Applicable

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2016-9962

Not Applicable

Stay updated

ExploitPedia is constantly evolving. Sign up to receive a notification when we release additional functionality.

Get in touch

If you'd like to report a bug or have any suggestions for improvements then please do get in touch with us using this form. We will get back to you as soon as we can.