CVE-2018-1196
Privilege Escalation vulnerability in spring-boot (Maven)
What is CVE-2018-1196 About?
This vulnerability is a privilege escalation flaw in Moby (Docker Engine) due to non-empty inheritable Linux process capabilities. Specifically, the issue arises when Moby is started with non-empty inheritable Linux process capabilities. This inadvertently allows processes running within containers to inherit capabilities they should not possess, potentially leading to privilege escalation. Exploitation depends on the specific inherited capabilities and the containerized application's access to them.
Affected Software
Technical Details
The Moby (Docker Engine) daemon, when initialized, is inadvertently started with non-empty inheritable Linux process capabilities (e.g., CAP_NET_RAW, CAP_SYS_ADMIN). According to the Linux capability model, inheritable capabilities are passed from parent to child processes, but to become active, they must also be present in the permitted set. The vulnerability occurs because the Docker daemon implicitly passes these capabilities to the container's init process (typically runc). Consequently, any processes running within the container can potentially gain access to these elevated capabilities, even if the container was configured without specific capability grants. This circumvents the intended security isolation of containers, allowing a process inside the container to perform operations that should normally be restricted to the host or privileged containers, leading to privilege escalation within the host system context.
What is the Impact of CVE-2018-1196?
Successful exploitation may allow containerized processes to access elevated Linux capabilities, potentially leading to privilege escalation, escape from containerization, or unauthorized access to host resources.
What is the Exploitability of CVE-2018-1196?
Exploitation of this vulnerability is complex. It requires an attacker to be able to execute code within a container started by the affected Moby daemon. There are no authentication requirements beyond gaining access to a container. Privilege requirements are initially those of a non-privileged container user. This is a local exploitation scenario, leveraging misconfiguration on the host to escape container isolation. Special conditions include the Moby daemon being started with unintended inheritable capabilities and the specific capabilities being exploitable by common Linux tools or specific containerized applications. The likelihood of exploitation increases if high-privilege capabilities are unintentionally inherited and if the containerized application provides means to leverage these capabilities.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2018-1196?
Available Upgrade Options
- org.springframework.boot:spring-boot
- >1.5.0, <1.5.10 → Upgrade to 1.5.10
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
What are Similar Vulnerabilities to CVE-2018-1196?
Similar Vulnerabilities: CVE-2022-0492 , CVE-2021-41092 , CVE-2020-15257 , CVE-2019-5736 , CVE-2019-14271
