Main Vulnerability Database Vulnerabilities #VU33995

#VU33995 Improper Preservation of Permissions in Kata Containers - CVE-2020-2025

Published: August 5, 2020

Vulnerability identifier: #VU33995

Vulnerability risk: High

CVSSv4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:U/U:Amber

CVE-ID: CVE-2020-2025

CWE-ID:

Exploitation vector: Adjecent network

Exploit availability: No public exploit available

Vulnerable software:
Kata Containers

Software vendor:
Kata Containers

Description

The vulnerability allows a remote attacker to take over all guest operating systems on the hypervisor.

Kata Containers before 1.11.0 on Cloud Hypervisor persists guest filesystem changes to the underlying image file on the host. A malicious guest can overwrite the image file to gain control of all subsequent guest VMs. Since Kata Containers uses the same VM image file with all VMMs, this issue may also affect QEMU and Firecracker based guests.

Remediation

Install updates from vendor's website.

External links

https://github.com/kata-containers/runtime/pull/2487