Amazon Linux AMI update for containerd

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU77529

Risk: Medium

CVSSv4.0: 7.2 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29403

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: No

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists within Go runtime due to application allows to execute setuid/setgid binaries without any restrictions. An attacker with ability to control the application flow can execute arbitrary code on the system with elevated privileges.

Mitigation

Update the affected packages:

aarch64:
    containerd-stress-debuginfo-1.7.2-1.amzn2023.0.2.aarch64
    containerd-stress-1.7.2-1.amzn2023.0.2.aarch64
    containerd-debuginfo-1.7.2-1.amzn2023.0.2.aarch64
    containerd-1.7.2-1.amzn2023.0.2.aarch64
    containerd-debugsource-1.7.2-1.amzn2023.0.2.aarch64

src:
    containerd-1.7.2-1.amzn2023.0.2.src

x86_64:
    containerd-debuginfo-1.7.2-1.amzn2023.0.2.x86_64
    containerd-stress-1.7.2-1.amzn2023.0.2.x86_64
    containerd-stress-debuginfo-1.7.2-1.amzn2023.0.2.x86_64
    containerd-1.7.2-1.amzn2023.0.2.x86_64
    containerd-debugsource-1.7.2-1.amzn2023.0.2.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

containerd: All versions

CPE2.3

• cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
• cpe:2.3:a:amazon_web_services:containerd:*:*:*:*:*:amazon_linux_ami:*:*

External links

https://alas.aws.amazon.com/AL2023/ALAS-2023-312.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Improper Neutralization of HTTP Headers for Scripting Syntax

EUVDB-ID: #VU78327

Risk: Medium

CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2023-29406

CWE-ID: CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper input validation in HTTP/1 client when handling HTTP Host header. A remote non-authenticated attacker can send a specially crafted HTTP request with a maliciously crafted Host header and inject additional headers or entire requests.

Successful exploitation of the vulnerability may allow an attacker to perform cross-site scripting, cache poisoning or session hijacking attacks.

Mitigation

Update the affected packages:

aarch64:
    containerd-stress-debuginfo-1.7.2-1.amzn2023.0.2.aarch64
    containerd-stress-1.7.2-1.amzn2023.0.2.aarch64
    containerd-debuginfo-1.7.2-1.amzn2023.0.2.aarch64
    containerd-1.7.2-1.amzn2023.0.2.aarch64
    containerd-debugsource-1.7.2-1.amzn2023.0.2.aarch64

src:
    containerd-1.7.2-1.amzn2023.0.2.src

x86_64:
    containerd-debuginfo-1.7.2-1.amzn2023.0.2.x86_64
    containerd-stress-1.7.2-1.amzn2023.0.2.x86_64
    containerd-stress-debuginfo-1.7.2-1.amzn2023.0.2.x86_64
    containerd-1.7.2-1.amzn2023.0.2.x86_64
    containerd-debugsource-1.7.2-1.amzn2023.0.2.x86_64

Vulnerable software versions

Amazon Linux AMI: All versions

containerd: All versions

CPE2.3

• cpe:2.3:o:amazon_web_services:amazon_linux_ami:*:*:*:*:*:*:*:*
• cpe:2.3:a:amazon_web_services:containerd:*:*:*:*:*:amazon_linux_ami:*:*

External links

https://alas.aws.amazon.com/AL2023/ALAS-2023-312.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.