CGA-7qqm-fhvx-h75j
Side-Channel Attack vulnerability in containerd (Go)
What is CGA-7qqm-fhvx-h75j About?
This vulnerability concerns the default accessibility of `/sys/devices/virtual/powercap` within containers, exposing Intel's RAPL readings via sysfs. This allows unprivileged users (or root inside a container without user namespaces) to conduct power-based side-channel attacks, such as PLATYPUS. While not a direct runtime flaw, it poses a risk in multi-tenant container environments due to information leakage, making it moderately complex to exploit.
Affected Software
- github.com/containerd/containerd
- >1.7.0, <1.7.11
- <1.6.26
Technical Details
The vulnerability stems from the default accessibility of /sys/devices/virtual/powercap within Linux containers. This path exposes Intel's RAPL (Running Average Power Limit) readings via the sysfs interface. Older Linux kernel versions (prior to 5.10) allowed unprivileged userspace access to these readings. Even with kernel mitigations preventing non-root access for bare-metal systems, containers often run with sufficient privileges (root inside the container, especially without user namespaces) to access this read-only mount. This default accessibility enables power-based side-channel attacks, such as PLATYPUS (CVE-2020-8694, CVE-2020-8695, CVE-2020-12912), which can infer sensitive information (e.g., cryptographic keys from AES-NI operations, KASLR offsets) by analyzing power consumption patterns. Although sysfs is read-only, read access is sufficient for such attacks. Other, more privileged ways of accessing RAPL exist, but this specific issue highlights the danger of default container configurations.
What is the Impact of CGA-7qqm-fhvx-h75j?
Successful exploitation may allow attackers to conduct side-channel attacks, leading to information leakage of sensitive data such as cryptographic keys or kernel address space layout randomization (KASLR) offsets. This can undermine confidentiality and facilitate further system exploitation.
What is the Exploitability of CGA-7qqm-fhvx-h75j?
Exploitation of this vulnerability is of moderate complexity, primarily due to the nature of side-channel attacks. The prerequisites involve running a container on a bare-metal Intel system (or AMD equivalent) where RAPL is exposed via /sys/devices/virtual/powercap, and the container is not configured with user namespaces such that root inside the container has access to the /sys filesystem. Authentication requirements are minimal, as any process running as root within such a container can access the powercap interface, even if it's generally considered an unprivileged user from the host perspective. The access is local to the container; however, if the container hosts services accessible remotely, the effects of the side-channel attack could be triggered remotely. Special conditions include the use of specific CPU architectures (Intel RAPL, AMD power mechanisms) and Linux kernel versions prior to 5.10 (though container setups can bypass this for inside-container root). Risk factors that increase exploitation likelihood include multi-tenant container environments where untrusted workloads can run, as well as the presence of sensitive cryptographic operations or security features (like AES-NI, KASLR) within the containerized applications that could be profiled.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CGA-7qqm-fhvx-h75j?
About the Fix from Resolved Security
The patch adds deny rules and masks for /sys/devices/virtual/powercap in the AppArmor profile and the container spec, preventing containerized processes from accessing powercap interfaces. This mitigates the risk described in GHSA-7ww5-4wqc-m92c, where exposure of RAPL/powercap devices could enable side-channel attacks (such as PLATYPUS) from untrusted containers. By blocking access, the patch eliminates this side-channel vector.
Available Upgrade Options
- github.com/containerd/containerd
- <1.6.26 → Upgrade to 1.6.26
- github.com/containerd/containerd
- >1.7.0, <1.7.11 → Upgrade to 1.7.11
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/containerd/containerd/commit/746b910f05855c8bfdb4415a1c0f958b234910e5
- https://github.com/containerd/containerd/commit/746b910f05855c8bfdb4415a1c0f958b234910e5
- https://github.com/containerd/containerd
- https://github.com/containerd/containerd/commit/67d356cb3095f3e8f8ad7d36f9a733fea1e7e28c
- https://osv.dev/vulnerability/GO-2023-2412
- https://github.com/containerd/containerd/security/advisories/GHSA-7ww5-4wqc-m92c
- https://github.com/containerd/containerd/security/advisories/GHSA-7ww5-4wqc-m92c
- https://osv.dev/vulnerability/GHSA-7ww5-4wqc-m92c
- https://github.com/containerd/containerd/commit/67d356cb3095f3e8f8ad7d36f9a733fea1e7e28c
What are Similar Vulnerabilities to CGA-7qqm-fhvx-h75j?
Similar Vulnerabilities: CVE-2020-8694 , CVE-2020-8695 , CVE-2020-12912 , CVE-2021-3928 , CVE-2022-21166
