CVE-2021-20182 – This CVE describes a privilege escalation vulne... (How to Fix)

Q: What is the severity of CVE-2021-20182?

CVE-2021-20182 has a CVSS score of 8.8 (HIGH). This CVE describes a privilege escalation vulnerability in OpenShift's docker-builder container where the build container runs with high privileges using chroot instead of runc. Attackers who gain access to the build container can access raw node devices to escalate privileges to cluster admin level. This affects OpenShift 4 deployments using the vulnerable ose-docker-builder component.

📋 TL;DR

This CVE describes a privilege escalation vulnerability in OpenShift's docker-builder container where the build container runs with high privileges using chroot instead of runc. Attackers who gain access to the build container can access raw node devices to escalate privileges to cluster admin level. This affects OpenShift 4 deployments using the vulnerable ose-docker-builder component.

💻 Affected Systems

Products:

openshift4/ose-docker-builder

Versions: OpenShift 4 versions prior to 4.7.13, 4.6.23, and 4.5.31

Operating Systems: Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Affects OpenShift 4 deployments using the default docker-builder configuration with chroot isolation.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full cluster compromise allowing attackers to access all cluster resources, modify configurations, exfiltrate sensitive data, and disrupt operations.

🟠

Likely Case

Privilege escalation from build container to node-level access, potentially leading to lateral movement within the cluster.

🟢

If Mitigated

Limited impact if proper network segmentation, least privilege, and monitoring are implemented.

🌐 Internet-Facing: MEDIUM - Requires initial access to build container which may be exposed through CI/CD pipelines.

🏢 Internal Only: HIGH - Once inside the build environment, exploitation is straightforward for internal attackers.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires initial access to the build container, but privilege escalation is straightforward once inside.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: OpenShift 4.7.13, 4.6.23, and 4.5.31

Vendor Advisory: https://access.redhat.com/errata/RHSA-2021:0338

Restart Required: Yes

Instructions:

1. Update OpenShift cluster to patched version. 2. Update all builder nodes. 3. Restart affected containers and nodes. 4. Verify all components are running patched versions.

🔧 Temporary Workarounds

Restrict Build Container Access

linux

Limit who can create and access build containers using RBAC and network policies.

oc adm policy add-role-to-user edit <username> -n <namespace>
oc create networkpolicy restrict-builds --pod-selector='name=docker-builder' --ingress=''

Use Runc Instead of Chroot

linux

Configure builder to use runc isolation instead of chroot where possible.

oc edit buildconfig <buildconfig-name>
Set 'runPolicy' to 'Serial' and ensure proper isolation

🧯 If You Can't Patch

Implement strict network segmentation to isolate build containers from production systems
Apply least privilege principles to build service accounts and restrict raw device access

🔍 How to Verify

Check if Vulnerable:

Check OpenShift version: oc version, then verify if version is below 4.7.13, 4.6.23, or 4.5.31

Check Version:

oc version --client && oc version

Verify Fix Applied:

Verify cluster version is at or above patched versions and check builder container configuration uses proper isolation

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to build containers
Unusual privilege escalation events in container logs
Suspicious raw device access from build containers

Network Indicators:

Unexpected network connections from build containers to cluster nodes
Suspicious traffic patterns from builder pods

SIEM Query:

source="openshift" AND (event="container_escape" OR event="privilege_escalation") AND container_name="*docker-builder*"

📊 Metadata

CVE ID: CVE-2021-20182

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-552

Published: February 23, 2021

Last Updated: November 21, 2024

🔗 References

https://bugzilla.redhat.com/show_bug.cgi?id=1915110 Issue Tracking,Mitigation,Patch,Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=1915110 Issue Tracking,Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-20182, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Openshift Container Platform by Redhat

Openshift Container Platform by Redhat

Openshift Container Platform by Redhat

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict Build Container Access

Use Runc Instead of Chroot

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities