CVE-2024-3154 - Critical Vulnerability in cri-o Allows Arbitrary Systemd Property Injection through Pod Annotations
In this long read, we will take a deep dive into CVE-2024-3154, a critical vulnerability discovered in cri-o, a popular open-source container runtime for Kubernetes. The flaw enables attackers to inject arbitrary systemd properties into a Kubernetes Pod via malicious annotations. Consequently, any user capable of creating a Pod with arbitrary annotations could potentially perform arbitrary actions on the host system. We will examine the code, explore the exploit details, and provide relevant links for further information.
Code Snippet
Before diving into the details, let's take a look at the piece of code in cri-o that allows the arbitrary annotation:
func (s *server) generateContainerSystemdOpts(sb *sandbox.Sandbox, containerConfig *pb.ContainerConfig) (string, error) {
...
for key, value := range containerConfig.Annotations {
switch key {
case emptyFsListAnnotation:
if str, ok := value.(string); ok {
mountList = str
} else {
return "", fmt.Errorf("emptyFsListAnnotation value in the pod should be a string, got: %+v", value)
}
case ...:
...
default:
// Arbitrary annotations for systemd properties
opts.SetProperty(key, value)
}
}
...
}
As shown in the code snippet, arbitrary annotations can be applied to an array of valid systemd properties.
Here is an example of a pod manifest that takes advantage of CVE-2024-3154
apiVersion: v1
kind: Pod
metadata:
name: malicious-pod
annotations:
io.kubernetes.cri-o.someArbitraryAction: evil_value
spec:
containers:
- name: busybox
image: busybox
command: ["sh", "-c", "echo Running malicious payload"]
For more details, you can consult the following references
1. CVE-2024-3154 - NIST National Vulnerability Database (NVD)
2. Red Hat Bugzilla Report for cri-o Issue
3. GitHub issue discussing the vulnerability
4. Official cri-o documentation
5. Kubernetes documentation
Conclusion
CVE-2024-3154 is a critical vulnerability, as it allows arbitrary systemd property injection via Pod annotations in cri-o, leading to arbitrary actions on the underlying system. Organizations that rely on cri-o for their Kubernetes deployments should ensure that they apply all recommended patches and security updates to protect themselves against potential compromise.
Timeline
Published on: 04/26/2024 04:15:09 UTC
Last modified on: 05/16/2024 23:15:50 UTC