CVE-2023-32696
📋 TL;DR
This vulnerability in CKAN's Docker container allows the 'ckan' user (equivalent to www-data) to execute arbitrary code with elevated privileges via sudo. It affects CKAN deployments using vulnerable Docker containers, enabling attackers to escalate privileges if they can write arbitrary files to the system.
💻 Affected Systems
- CKAN Docker containers
📦 What is this software?
Ckan by Okfn
Ckan by Okfn
⚠️ Risk & Real-World Impact
Worst Case
Full container compromise leading to host system access, data exfiltration, and lateral movement within the environment.
Likely Case
Container takeover allowing installation of backdoors, data manipulation, and persistence within the CKAN environment.
If Mitigated
Limited impact with proper container isolation and restricted network access, though container integrity would still be compromised.
🎯 Exploit Status
Requires an arbitrary file write vulnerability to exploit. Once file write is achieved, privilege escalation is straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.9, 2.9.9-dev, 2.10.1, or 2.10.1-dev
Vendor Advisory: https://github.com/ckan/ckan-docker-base/security/advisories/GHSA-c74x-xfvr-x5wg
Restart Required: Yes
Instructions:
1. Update CKAN Docker image to version 2.9.9 or 2.10.1 or later. 2. Rebuild and redeploy containers. 3. Verify the 'ckan' user no longer has sudo privileges.
🔧 Temporary Workarounds
Remove sudo from ckan user
linuxManually remove sudo privileges from the ckan user in running containers
docker exec -it <container_name> /bin/bash
sudo deluser ckan sudo
exit
Build custom Docker image
linuxCreate custom Dockerfile that removes sudo from ckan user
FROM ckan/ckan:2.9.8
RUN deluser ckan sudo
RUN rm -f /etc/sudoers.d/ckan
🧯 If You Can't Patch
- Implement strict file upload controls to prevent arbitrary file writes
- Deploy containers with read-only root filesystems where possible
🔍 How to Verify
Check if Vulnerable:
Check if ckan user has sudo access: docker exec <container> sudo -l -U ckanCheck Version:
docker exec <container> ckan --versionVerify Fix Applied:
Verify ckan user cannot use sudo: docker exec <container> sudo -U ckan whoami (should fail)📡 Detection & Monitoring
Log Indicators:
- Unexpected sudo usage by ckan user
- File writes to sensitive locations by ckan user
- Unusual process execution from ckan context
Network Indicators:
- Outbound connections from CKAN containers to unexpected destinations
- Increased network traffic from CKAN containers
SIEM Query:
source="docker" AND (user="ckan" AND command="sudo") OR (process="sudo" AND parent_process="ckan")🔗 References
- https://github.com/ckan/ckan-docker-base/commit/5483c46ce9b518a4e1b626ef7032cce2c1d75c7d
- https://github.com/ckan/ckan-docker-base/security/advisories/GHSA-c74x-xfvr-x5wg
- https://github.com/ckan/ckan-docker-base/commit/5483c46ce9b518a4e1b626ef7032cce2c1d75c7d
- https://github.com/ckan/ckan-docker-base/security/advisories/GHSA-c74x-xfvr-x5wg
