CVE-2017-16539: Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP)
(updated )
The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a “scsi remove-single-device” line to /proc/scsi/scsi, aka SCSI MICDROP.
References
- github.com/advisories/GHSA-vfjc-2qcw-j95j
- github.com/moby/moby
- github.com/moby/moby/commit/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa1
- github.com/moby/moby/pull/35399
- marc.info/?l=linux-scsi&m=150985062200941&w=2
- marc.info/?l=linux-scsi&m=150985455801444&w=2
- nvd.nist.gov/vuln/detail/CVE-2017-16539
- twitter.com/ewindisch/status/926443521820774401
Code Behaviors & Features
Detect and mitigate CVE-2017-16539 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →