A new vulnerability, identified as CVE-2024-11218, has been discovered in podman build and buildah, which can lead to a container breakout. This issue occurs when using --jobs=2 and a race condition emerges as part of building a malicious Containerfile. Although SELinux has the potential to mitigate this vulnerability, it is important to note that even with SELinux on, the exploit still allows for the enumeration of files and directories on the host. In this post, we will take a closer look at this vulnerability and analyze the details of the exploit.
Vulnerability Background
podman build and buildah are popular tools for building container images. These tools have been designed to offer an efficient and secure means of creating and managing containers. However, as with any complex software, it is not uncommon for vulnerabilities to be discovered.
Technical Details
The vulnerability in question (CVE-2024-11218) arises as a result of a race condition that occurs during the build process when the --jobs=2 flag is used. This option enables users to build container images in parallel, which can lead to efficiency improvements. However, when this feature is combined with a malicious Containerfile, it opens the door for a potential exploit.
The race condition can be triggered by using a carefully crafted Containerfile that contains instructions to create symbolic links pointing to files outside the container. An attacker can then manipulate these symbolic links and have the podman build or buildah process copy or delete files on the host system.
Here's a sample code snippet that could be used in a malicious Containerfile
FROM alpine
RUN ln -s /etc/shadow /.link && \
while true; do \
ln -s /target/file/on/host /.link; \
ln -s /etc/shadow /.link; \
done &
COPY /.link /root
This snippet sets up an infinite loop that constantly changes the target of the symbolic link, .link, between /etc/shadow and /target/file/on/host. When the COPY command is executed as part of the build process, there is a chance it will copy the host's target file instead of the container's /etc/shadow.
For more technical details and insights, you can refer to the original advisory published by the researchers who discovered this vulnerability: CVE-2024-11218 Advisory
Exploit Details
Although SELinux can offer some mitigation against the vulnerability, it is important to note that even with SELinux on, the exploit still allows for the enumeration of files and directories on the host. This means that an attacker could still potentially gather sensitive information or cause disruption by scanning the file system to identify vulnerable files and directories.
Mitigation Steps
To mitigate this vulnerability, users are recommended to update their podman and buildah installations to the latest version, which contains patches addressing the issue. Additionally, you should avoid using untrusted Containerfiles to build container images, as they may contain malicious instructions that take advantage of this vulnerability.
Conclusion
CVE-2024-11218 is a serious vulnerability that affects both podman build and buildah and can lead to a container breakout by using --jobs=2 in conjunction with a race condition when building a malicious Containerfile. Although SELinux can provide some mitigation, it is essential to update affected tools and practice caution when building container images from untrusted sources. Stay informed and ensure your systems are up-to-date to protect against this and other potential vulnerabilities.
Timeline
Published on: 01/22/2025 05:15:08 UTC
Last modified on: 02/13/2025 02:15:29 UTC