TPS-2016-007 Docker, DTrace and MAC Protection Vulnerabilities

Overview

Introduction

This notice is to ensure that all Triton Cloud customers, all on-premises operators of Triton Enterprise (formerly SmartDataCenter or SDC) and all open source Triton users are aware of vulnerabilities reported to us by research contributors at Trend Micro’s Zero Day Initiative, and some discovered by our own Engineering team:

All necessary fixes have been applied to Triton Cloud (formerly Joyent Public Cloud or JPC). No action is required by Triton Cloud customers. For users of the other services listed above: Please follow the instructions for addressing these vulnerabilities, at your earliest opportunity. Instructions can be found in the Solutions section below. Most of these vulnerabilities are listed on Zero Day Initiative’s Upcoming Advisories, and you can read more about each of them in the Vulnerabilities section below. The “MAC protection logic vulnerabilities” described below were discovered by Joyent and do not appear on the ZDI site.

Support

If further questions arise regarding mitigation of these vulnerabilities (after you have followed the instructions below), please contact Joyent Support by submitting a request via the Customer Support portal or by emailing support@joyent.com.

The Joyent Support channel is only available to Triton Cloud customers and Triton Enterprise and Manta Enterprise customers with support contracts. Open source Triton users are encouraged to direct further questions to: The SmartOS Community Mailing Lists and IRC.

Solutions

Triton Cloud (public cloud) users

All necessary fixes have been applied to Triton Cloud. No user action is required.

Triton Enterprise (on-premises, private cloud) users

The method for applying this fix to your on-premises software installation will be to update your current Platform Image (PI) to the next available release, 20160428-20160504T174400Z* or later, via the sdcadm command on the support channel.

Docker users should also update to this agent image: 1.0.0-master-20160418T231745Z-g3fd5a

If more detailed update instructions are needed, please submit a request via the Customer Support portal or email support@joyent.com.

Open source Triton users

Upgrade to this Triton platform image release: 20160428-20160504T174400Z*.

Docker users should also update to this agent image: 1.0.0-master-20160418T231745Z-g3fd5adf

Direct any further questions to: [The SmartOS Community Mailing Lists and IRC][3]

*Note: A previous version of this release announcement specified PI 20160414-20160420T005724Z; this new release 20160428-20160504T174400Z contains an important bug fix that was not contained in 20160414-20160420T005724Z.

Vulnerabilities

ZDI-CAN-3701 Docker vulnerabilities

Details

Affected: The issue exists in the core SmartOS platform and CN agents. The following users are affected:

  • Joyent customers with on-premises Triton Elastic Infrastructure using docker containers
  • Users of Docker containers on Triton Cloud (the fixes have already been applied cloud-wide)
  • Users of Docker containers with open source Triton

Severity: High

Impact/resolution

The vulnerabilities potentially allow malicious attempts to obtain access beyond the user zones.

Fixes have been made at the platform level to incorporate more appropriate dataset settings for Docker zones.

ZDI-CAN-3531/3532/3533 DTrace vulnerabilities

Details

Affected: The issue exists in the core SmartOS platform, for users who are running on a Platform Image version prior to 20160204. For such users, the following are affected:

  • Joyent customers with on-premises Triton Elastic Infrastructure
  • All users of SmartOS, including Triton Cloud customers (the fix has already been applied Cloud-wide)
  • Users of open source Triton

Severity: High

Impact/resolution

Attackers can potentially exploit DTrace for information leaks into a non-global zone, or escalation from the non-global zone into the global.

DTrace has been hardened to prevent such malicious attempts.

ZDI-CAN-3688/3689/3690 Dtrace vulnerabilities

Details

Affected: The issue exists in the core SmartOS platform, for users who are running on a Platform Image version prior to 20160526.

Severity: High

Impact/resolution

Attackers can potentially combine multiple DTrace exploits to list processes outside of a zone, and dump the memory from these processes or break out of zones and escalate privileges in the global zone. DTrace has been hardened to prevent the above vulnerabilities. The fixes are available in PI version 20160526 and above.

MAC protection logic vulnerabilities

Details

Affected: The issue exists in the core SmartOS platform release-20160331-20160330T234300Z and release-20160414-20160414T011323Z. The following users are affected:

  • Joyent customers with on-premises Triton Elastic Infrastructure who have applied either of the Platform Images mentioned above
  • All users of SmartOS, including Triton Cloud customers (the fix has already been applied Cloud-wide)
  • Users of open source Triton who have applied either of the platform images mentioned above

Severity: High

Impact/resolution

A recent regression has affected the MAC protection logic. Because of this, attackers can potentially exploit the leak of network packet information from other zones.

A fix has been made to reinstate the network interface protection.