Cisco CloudCenter Orchestrator Docker Engine Privilege Escalation Vulnerability

Available Languages

Updated:December 21, 2016
Document ID:1482346481740469

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Cisco Security Advisory

Cisco CloudCenter Orchestrator Docker Engine Privilege Escalation Vulnerability

Critical
Advisory ID:
cisco-sa-20161221-cco
First Published:
2016 December 21 16:00 GMT
Last Updated: 
2016 December 21 18:03 GMT
Version 1.1:
Final
Workarounds:
Yes
CVE-2016-9223
CVSS Score:
Base 9.3, Temporal 8.1Click Icon to Copy Verbose Score
AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVE-2016-9223

Summary

  • A vulnerability in the Docker Engine configuration of Cisco CloudCenter Orchestrator (CCO; formerly CliQr) could allow an unauthenticated, remote attacker to install Docker containers with high privileges on the affected system.

    The vulnerability is due to a misconfiguration that causes the Docker Engine management port to be reachable outside of the CloudCenter Orchestrator system. An attacker could exploit this vulnerability by loading Docker containers on the affected system with arbitrary privileges. As a secondary impact this may allow the attacker to gain root privileges on the affected CloudCenter Orchestrator.

    Cisco has released software updates that address this vulnerability. Workarounds that mitigate this vulnerability are available. This advisory is available at the following link:
    https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20161221-cco

Affected Products

  • Vulnerable Products

    This vulnerability affect all releases of Cisco CloudCenter Orchestrator (CCO) deployments where the Docker Engine TCP port 2375 is open on the system and bound to local address 0.0.0.0 (any interface).

    Administrator can log in to the CCO and issue the netstat -ant | grep 2375 command to determine if the port is open and bound to 0.0.0.0 local address.

    The following example shows a CCO device with port 2375 in listening state and on local address 0.0.0.0
    [root@cco ~]# netstat -ant | grep 2375
    Proto Recv-Q Send-Q  Local Address          Foreign Address        (state)  
    tcp        0      0  0.0.0.0:2375           0.0.0.0:*               LISTEN  
    TCP port 2375 is open by default with local address 0.0.0.0.

    Products Confirmed Not Vulnerable

    No other Cisco products are currently known to be affected by this vulnerability.

Indicators of Compromise

  • Administrator may be able to detect a malicious Docker container by listing all the install containers on the system using the docker images command.
    The following example shows a list of containers which include a malicious container called badcontainer:
    [root@cco ~]#docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             VIRTUAL SIZE
badcontainer        latest              aaaaaaaaaaaa        1 day ago           128.1 MB
cliqr/worker        latest              8b5213eb3fa2        2 weeks ago         643.9 MB
[...]
    Because this vulnerability may allow access to the Cisco CCO software with root privileges, additional indicator of compromise may be present depending on the goal of the malicious actor.

Workarounds

  • Administrators can restrict the Docker Engine port to bind to localhost (127.0.0.1) following the procedure below:

    1. Issue the su command to obtain sudo privileges
    2. Enter the system directory using the following command cd /etc/systemd/system/
    3. Edit the docker.socket file with your chosen editor and change the ListenStream value to the following:

      4. ListenStream=127.0.0.1:2375

    4. Reload with the systemctl daemon-reload && systemctl restart docker command
    In addition, administrators can use the cloud provider security group or external firewall devices in private cloud deployment to restrict access to the CCO Docker Engine management port as per product documentation:
    http://docs.cliqr.com/display/CCD46/Phase+2%3A+Configure+Network+Rules

Fixed Software

  • Cisco has released free software updates that address the vulnerability described in this advisory. Customers may only install and expect support for software versions and feature sets for which they have purchased a license. By installing, downloading, accessing, or otherwise using such software upgrades, customers agree to follow the terms of the Cisco software license:
    http://www.cisco.com/en/US/docs/general/warranty/English/EU1KEN_.html

    Additionally, customers may only download software for which they have a valid license, procured from Cisco directly, or through a Cisco authorized reseller or partner. In most cases this will be a maintenance upgrade to software that was previously purchased. Free security software updates do not entitle customers to a new software license, additional software feature sets, or major revision upgrades.

    When considering software upgrades, customers are advised to regularly consult the advisories for Cisco products, which are available from the Cisco Security Advisories and Alerts page, to determine exposure and a complete upgrade solution.

    In all cases, customers should ensure that the devices to upgrade contain sufficient memory and confirm that current hardware and software configurations will continue to be supported properly by the new release. If the information is not clear, customers are advised to contact the Cisco Technical Assistance Center (TAC) or their contracted maintenance providers.

    Customers Without Service Contracts

    Customers who purchase directly from Cisco but do not hold a Cisco service contract and customers who make purchases through third-party vendors but are unsuccessful in obtaining fixed software through their point of sale should obtain upgrades by contacting the Cisco TAC:
    http://www.cisco.com/en/US/support/tsd_cisco_worldwide_contacts.html

    Customers should have the product serial number available and be prepared to provide the URL of this advisory as evidence of entitlement to a free upgrade.

    Fixed Releases

    This vulnerability has been fixed in the Cisco CloudCenter Orchestrator 4.6.2 patch release.

Exploitation and Public Announcements

  • The Cisco Product Security Incident Response Team (PSIRT) is not aware of any public announcements of the vulnerability that is described in this advisory.

    The Cisco PSIRT is aware that this vulnerability has been exploited publicly in a limited number of cases.

Source

  • This vulnerability was found during the resolution of support cases.

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory

URL

Revision History

  • Version Description Section Status Date
    1.1 Updated workaround information. Workarounds Final 2016-December-21
    1.0 Initial public release. Final 2016-December-21
    Show Less

Cisco Security Vulnerability Policy

  • To learn about Cisco security vulnerability disclosure policies and publications, see the Security Vulnerability Policy. This document also contains instructions for obtaining fixed software and receiving security vulnerability information from Cisco.

Subscribe to Cisco Security Notifications

Action Links for This Advisory