CVE-2022-47952: 
LXC vulnerability analysis and mitigation

CVE-2022-47952 affects lxc-user-nic in Linux Containers (LXC) through version 5.0.1. The vulnerability was discovered in a setuid root binary that allows local users to infer whether any file exists, even within protected directory trees. This information disclosure vulnerability exists because 'Failed to open' messages often indicate that a file does not exist, whereas 'does not refer to a network namespace path' messages often indicate that a file exists (MITRE CVE, NVD).

The vulnerability exists in the lxc-user-nic binary, which is installed with setuid root permissions. The issue stems from different error messages returned when attempting to access files: a 'Failed to open' message indicates file non-existence, while 'does not refer to a network namespace path' suggests file existence. This differs from the previous CVE-2018-6556 fix, which was based on the assumption that users couldn't determine why an open() operation failed. However, in practice, there are cases where the failure reason becomes apparent through these distinct error messages (GitHub POC).

The vulnerability allows local users to perform information disclosure attacks by inferring the existence of files, even within protected directory trees that they normally wouldn't have permission to access. This could potentially be used to map out the directory structure and file presence in sensitive areas of the filesystem (MITRE CVE).

The vulnerability has been patched in various distributions. For example, Debian 10 (Buster) fixed this issue in version 1:3.1.0+really3.0.3-8+deb10u1 of the lxc package. Users are recommended to upgrade their lxc packages to the latest version that includes the security fix (Debian LTS).