@giladreti - so I have taken another look at the CVSS3.1 vector string you referenced above.
The threat in this case would appear to be from a malicious docker image or similar - would you agree? Given this, then I think the vector makes more sense as follows:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High
The Attack Vector is from the Network since a malicious image has to be downloaded from dockerhub or similar
The Attack Complexity is Low since a malicious image is relatively easy to create
No special Privileges are Required other than what is normally provided to a docker container
There is no User Interaction required since as you state at some point it is quite likely the systemd will reload services and trigger this without any user interaction.
The Scope is changed since this then allows access to devices from the host system that were not originally part of the container's device cgroup.
C/I/A as High is because from what I can tell the snap.docker.dockerd.service devices cgroup appears to allow access to all devices on the system:
$ sudo cat /sys/fs/cgroup/devices/system.slice/snap.docker.dockerd.service/devices.list
a *:* rwm
And so this would appear to allow the container then to have arbitrary read/write access to any device on the system, including the host filesystem etc.
This would then result in a CVSS 3.1 base score of 10.0
@anonymouse67 and others - does this seem to match with your understanding of the vulnerability as well?
@giladreti - so I have taken another look at the CVSS3.1 vector string you referenced above.
The threat in this case would appear to be from a malicious docker image or similar - would you agree? Given this, then I think the vector makes more sense as follows:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Confidentiality: High
Integrity: High
Availability: High
The Attack Vector is from the Network since a malicious image has to be downloaded from dockerhub or similar
The Attack Complexity is Low since a malicious image is relatively easy to create
No special Privileges are Required other than what is normally provided to a docker container
There is no User Interaction required since as you state at some point it is quite likely the systemd will reload services and trigger this without any user interaction.
The Scope is changed since this then allows access to devices from the host system that were not originally part of the container's device cgroup.
C/I/A as High is because from what I can tell the snap.docker. dockerd. service devices cgroup appears to allow access to all devices on the system:
$ sudo cat /sys/fs/ cgroup/ devices/ system. slice/snap. docker. dockerd. service/ devices. list
a *:* rwm
And so this would appear to allow the container then to have arbitrary read/write access to any device on the system, including the host filesystem etc.
This would then result in a CVSS 3.1 base score of 10.0
@anonymouse67 and others - does this seem to match with your understanding of the vulnerability as well?