CVE-2021-20264 Overview
An insecure modification flaw in the /etc/passwd file was found in the openjdk-1.8 and openjdk-11 containers. This vulnerability allows an attacker with access to the container to modify the /etc/passwd file and escalate their privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Critical Impact
This privilege escalation vulnerability allows container users to gain elevated privileges by modifying the /etc/passwd file, potentially leading to complete container compromise and lateral movement within containerized environments.
Affected Products
- Oracle OpenJDK 1.8.0 Container Images
- Oracle OpenJDK 11 Container Images
- Red Hat OpenJDK Container Images
Discovery Timeline
- 2021-10-06 - CVE-2021-20264 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2021-20264
Vulnerability Analysis
This vulnerability stems from improper file permissions on the /etc/passwd file within OpenJDK container images. The insecure permissions allow non-privileged users within the container to modify the /etc/passwd file, which is critical for user authentication and privilege management on Unix-like systems.
The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment) and CWE-732 (Incorrect Permission Assignment for Critical Resource). When exploited, an attacker can manipulate user entries in the /etc/passwd file to create new privileged users, modify existing user permissions, or change authentication credentials.
This flaw requires local access to the container (local attack vector) with low-privilege user access. The exploitation complexity is low, requiring no user interaction, making it a practical target for attackers who have already gained a foothold within the container environment.
Root Cause
The root cause of this vulnerability is incorrect permission assignment for the /etc/passwd file within the OpenJDK container images. The container images were built with overly permissive file permissions on the /etc/passwd file, allowing write access to non-root users. This violates the principle of least privilege and enables unauthorized modification of critical system files.
In standard Linux security practices, the /etc/passwd file should be readable by all users but writable only by root. The misconfiguration in the affected OpenJDK container images allows regular container users to modify this file, bypassing normal privilege restrictions.
Attack Vector
The attack exploits the local access to the container environment. An attacker who has gained access to the container, even as a low-privileged user, can exploit this vulnerability through the following attack flow:
- Initial Access: Attacker gains access to the container through a vulnerable application, compromised credentials, or other means
- File Permission Check: Attacker verifies write permissions on /etc/passwd
- Privilege Escalation: Attacker modifies /etc/passwd to add a new user with root privileges or changes the UID of their current user to 0
- Privileged Access: Attacker switches to the newly created or modified privileged user
The vulnerability requires no special tools or complex exploitation techniques, making it easily exploitable once container access is obtained.
Detection Methods for CVE-2021-20264
Indicators of Compromise
- Unexpected modifications to the /etc/passwd file within container environments
- New user accounts appearing in /etc/passwd with UID 0 or other elevated privileges
- Changes to existing user entries, particularly modifications to UID/GID fields
- Container process execution under unexpected user contexts
Detection Strategies
- Implement file integrity monitoring on /etc/passwd and other critical system files within containers
- Monitor for permission changes on sensitive files using audit logging
- Deploy container security solutions that alert on privilege escalation attempts
- Use SentinelOne Singularity Platform to detect and prevent container-based privilege escalation attacks
- Enable auditd rules to track writes to /etc/passwd and /etc/shadow
Monitoring Recommendations
- Configure container runtime security to detect file modifications in /etc/ directory
- Implement real-time alerting for changes to authentication-related files
- Deploy container-aware EDR solutions to monitor process privilege changes
- Review container logs for unexpected su, sudo, or user context switching activities
How to Mitigate CVE-2021-20264
Immediate Actions Required
- Audit all deployed OpenJDK container images for proper /etc/passwd file permissions
- Update to patched container images from Oracle or Red Hat
- Implement container security policies that restrict write access to critical system files
- Deploy runtime container security monitoring to detect exploitation attempts
- Review and validate file permissions on all container images before deployment
Patch Information
Oracle and Red Hat have addressed this vulnerability in updated container images. Organizations should pull the latest openjdk-1.8 and openjdk-11 container images from official repositories. Additional technical details and patch information can be found in the Red Hat Bug Report #1932283.
Workarounds
- Manually correct file permissions on /etc/passwd within containers by ensuring only root has write access
- Implement read-only root filesystems where possible using container runtime flags
- Deploy container security policies using tools like Open Policy Agent (OPA) to enforce proper file permissions
- Use admission controllers in Kubernetes to prevent deployment of containers with vulnerable images
# Verify and fix /etc/passwd permissions in container
# Check current permissions
ls -la /etc/passwd
# Correct permissions if necessary (run as root)
chmod 644 /etc/passwd
chown root:root /etc/passwd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
