CVE-2024-3154 - Critical Vulnerability in cri-o Allows Arbitrary Systemd Property Injection through Pod Annotations

In this long read, we will take a deep dive into CVE-2024-3154, a critical vulnerability discovered in cri-o, a popular open-source container runtime for Kubernetes. The flaw enables attackers to inject arbitrary systemd properties into a Kubernetes Pod via malicious annotations. Consequently, any user capable of creating a Pod with arbitrary annotations could potentially perform arbitrary actions on the host system. We will examine the code, explore the exploit details, and provide relevant links for further information.

Code Snippet

Before diving into the details, let's take a look at the piece of code in cri-o that allows the arbitrary annotation:

func (s *server) generateContainerSystemdOpts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig) (string, error) {
    ...
    for key, value := range containerConfig.Annotations {
        switch key {
        case emptyFsListAnnotation:
            if str, ok := value.(string); ok {
                mountList = str
            } else {
                return "", fmt.Errorf("emptyFsListAnnotation value in the pod should be a string, got: %+v", value)
            }
        case ...:
           ...
        default:
            // Arbitrary annotations for systemd properties
            opts.SetProperty(key, value)
        }
    }
    ...
}

As shown in the code snippet, arbitrary annotations can be applied to an array of valid systemd properties.

Here is an example of a pod manifest that takes advantage of CVE-2024-3154

apiVersion: v1
kind: Pod
metadata:
  name: malicious-pod
  annotations:
    io.kubernetes.cri-o.someArbitraryAction: evil_value
spec:
  containers:
  - name: busybox
    image: busybox
    command: ["sh", "-c", "echo Running malicious payload"]

For more details, you can consult the following references

1. CVE-2024-3154 - NIST National Vulnerability Database (NVD)
2. Red Hat Bugzilla Report for cri-o Issue
3. GitHub issue discussing the vulnerability
4. Official cri-o documentation
5. Kubernetes documentation

Conclusion

CVE-2024-3154 is a critical vulnerability, as it allows arbitrary systemd property injection via Pod annotations in cri-o, leading to arbitrary actions on the underlying system. Organizations that rely on cri-o for their Kubernetes deployments should ensure that they apply all recommended patches and security updates to protect themselves against potential compromise.

Timeline

Published on: 04/26/2024 04:15:09 UTC
Last modified on: 05/16/2024 23:15:50 UTC