CVE-2024-1753

Summary

A flaw was found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time.

Affected Software

VendorProductVersion RangeStatus
4.15.0affected
Red HatRed Hat Enterprise Linux 88090020240413110917.d7b6f4b7 < *unaffected
Red HatRed Hat Enterprise Linux 88090020240417184044.e7857ab1 < *unaffected
Red HatRed Hat Enterprise Linux 88100020240419145834.afee755d < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support8060020240422155330.3b538bd8 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support8060020240419071711.2e213529 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support8080020240422101606.0f77c1b7 < *unaffected
Red HatRed Hat Enterprise Linux 91:1.31.5-1.el9_3 < *unaffected
Red HatRed Hat Enterprise Linux 94:4.9.4-3.el9_4 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support1:1.26.7-1.el9_0 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support2:4.2.0-3.el9_0 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support1:1.29.3-1.el9_2 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support2:4.4.1-16.el9_2 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.123:4.4.1-3.2.rhaos4.12.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.133:4.4.1-6.3.rhaos4.13.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.133:4.4.1-8.3.rhaos4.13.el9 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.143:4.4.1-13.4.rhaos4.14.el8 < *unaffected
Red HatRed Hat OpenShift Container Platform 4.153:4.4.1-23.2.rhaos4.15.el8 < *unaffected

Weaknesses

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

Workarounds

When SELinux is enabled, the container is restricted to limited read-only access.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References