Fluid Attacks Database

Description

Docker Moby /proc/scsi Path Exposure Allows Host Data Loss (SCSI MICDROP) The DefaultLinuxSpec function in oci/defaults.go in Docker Moby through 17.03.2-ce does not block /proc/scsi pathnames, which allows attackers to trigger data loss (when certain older Linux kernels are used) by leveraging Docker container access to write a "scsi remove-single-device" line to /proc/scsi/scsi, aka SCSI MICDROP.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	docker.io	>=0 <1.13.1~ds3-1	1.13.1~ds3-1
debian 14	docker.io	>=0 <1.13.1~ds3-1	1.13.1~ds3-1
debian 11	docker.io	>=0 <1.13.1~ds3-1	1.13.1~ds3-1
debian 12	docker.io	>=0 <1.13.1~ds3-1	1.13.1~ds3-1
go	github.com/moby/moby	>=0 <17.12.0-ce	17.12.0-ce

Aliases

1. CVE-2017-165392. NVD-2017-165393. OSV-DEBIAN-2017-165394. OSV-2017-165395. GCVE-2017-165396. SECURITY-TRACKER-CVE-2017-16539

References

1. https://github.com/moby/moby/pull/353992. https://github.com/moby/moby/commit/a21ecdf3c8a343a7c94e4c4d01b178c87ca7aaa13. https://marc.info/?l=linux-scsi&m=150985062200941&w=24. https://marc.info/?l=linux-scsi&m=150985455801444&w=25. https://twitter.com/ewindisch/status/926443521820774401