CVE-2024-1753 - Exploit Details and Fix for Buildah and Podman Build Vulnerability: Arbitrary Filesystem Mounts

In a recent update, a vulnerability (CVE-2024-1753) has been discovered in Buildah and Podman Build, which allows containers to mount arbitrary locations on the host filesystem into build containers. This vulnerability exposes the host filesystem to potential malicious activities and can lead to full container escape at build time. In this post, we will discuss the exploit details, demonstrate a code snippet, and provide links to original references.

Exploit Details

The vulnerability is caused by the Dockerfile or Containerfile that permits the use of a dummy image with a symbolic link to the root filesystem as a mount source. When performing the mount operation, the host root filesystem is mounted inside the RUN step. The commands within the RUN step will then have read and write access to the host filesystem, potentially causing severe security risks, such as unauthorized access and data manipulation.

For example, a hypothetical malicious Containerfile may look like this

FROM ubuntu:latest
COPY . /mnt
RUN ln -s / /mnt/root
MOUNT --type=bind /mnt/root /rootfs
RUN echo "This will be written to the host filesystem" >> /rootfs/tmp/exploit_check.txt

This Containerfile demonstrates how the host filesystem is mounted within the build container, giving write access to the host's /tmp directory. As a result, the host system is exposed to potential malicious activities.

Original References

You can find the original report on this vulnerability in the Buildah repository issue tracker, which can be found here: Buildah GitHub Issue #3015

This vulnerability was also discussed in the Red Hat Bugzilla, which can be accessed here: Red Hat Bugzilla – Bug 1971297

Mitigation Steps

To protect your host filesystem from being exposed to potential malicious activities, there are two primary steps you can take:

1. Upgrade to the latest version of Buildah and Podman Build which includes the fix for this vulnerability. For Buildah, this is version 1.22. and for Podman Build, version 3.2.. You can obtain the latest versions from their respective repositories:

- Buildah Repository
- Podman Repository

2. Verify that any Dockerfile or Containerfile you use follows proper security guidelines and does not contain potential paths for exploitation. It will be crucial to review the content of these files carefully, especially from third-party sources.

Conclusion

In conclusion, CVE-2024-1753 serves as a reminder to remain vigilant against potential security vulnerabilities when using containers and building images. By taking the necessary precautionary steps and ensuring that your Dockerfiles or Containerfiles follow proper security guidelines, you can minimize the risks posed by this vulnerability to your host filesystem.

Timeline

Published on: 03/18/2024 15:15:41 UTC
Last modified on: 04/03/2024 02:15:07 UTC