A newly discovered vulnerability (CVE-2024-9675) in Buildah allows a RUN instruction in a Containerfile to mount an arbitrary directory from the host (read/write) into the container, as long as those files can be accessed by the user running Buildah. This vulnerability occurs because cache mounts do not properly validate that user-specified paths for the cache are within Buildah's cache directory.

In this long-read post, we will discuss the specifics of the vulnerability, demonstrate how an exploit can be crafted, and provide links to original references for further understanding and mitigation.

Vulnerability Details

Buildah is a popular open-source tool that facilitates building OCI container images. It features a simple command-line interface for creating images, managing containers, and interacting with container registries.

According to the CVE report, this vulnerability has a rating of 4. on the CVSS v3.1 scale, making it a medium-severity issue. An attacker could potentially exploit this vulnerability to gain unauthorized access to sensitive information or cause data corruption on the host system when the container is executed.

Exploit Details

To exploit this vulnerability, an attacker can craft a malicious Containerfile that includes a RUN instruction with a cache mount to access files or directories from the host system. A simple proof-of-concept (PoC) of a malicious Containerfile is provided below:

FROM alpine

RUN --mount=type=cache,target=/tmp/cache,uid=,gid=,source=/etc/ "\">cat /etc/shadow"data.txt

CMD ["/bin/ash"]

In this example, the RUN instruction is crafted to mount the /etc/ directory of the host system as the cache within the container. As a result, sensitive information such as the /etc/shadow file, which contains user password hashes, can be potentially accessed or manipulated.

To illustrate the exploit, the attacker can build an image using Buildah while running

$ buildah bud -t malicious-image .

Upon successful execution, the attacker can run the malicious container, which may then access and display the contents of the /etc/shadow file:

$ podman run --rm -it malicious-image cat data.txt

(Note: The above command uses Podman, another open-source tool that shares functionality with Buildah, to run the container.)

Mitigation

Users are highly recommended to upgrade to the latest version of Buildah, as patches have been released to address this vulnerability. The latest releases can be found on the official GitHub repository: https://github.com/containers/buildah/releases

Additionally, it is crucial to carefully review and trust the sources of Containerfiles before running them to minimize the risk of an attack.

Conclusion

This post has provided an overview and details of the CVE-2024-9675 vulnerability discovered in Buildah. To stay protected, users should promptly update their Buildah installations and exercise caution when running containers from untrusted sources.

For more information, refer to the following resources

1. CVE-2024-9675 Official Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-9675
2. Buildah GitHub Repository: https://github.com/containers/buildah
3. Buildah Documentation: https://github.com/containers/buildah/tree/main/docs

Timeline

Published on: 10/09/2024 15:15:17 UTC
Last modified on: 12/30/2024 18:23:44 UTC