CVE-2024-1753: Podman/Buildah Vulnerability Allow Container Escapes

A serious vulnerability (CVE-2024-1753) has been discovered in the popular containerization tools Podman and Buildah. This flaw, rated as important with a CVSS score of 8.6, could allow attackers to escape the confines of a container during the build process and wreak havoc on the underlying host system.

Weakness in the Build: How the Exploit Works

The danger lies in how Podman and Buildah handle file mounts during the container creation phase. By crafting a malicious Containerfile, an attacker can trick the system into mounting the host system’s root filesystem directly within the container build environment.

This grants the attacker read-write access to the entire host system, opening the door to:

• Data theft and exfiltration
• Installation of further malware
• System-wide disruption and damage

Affected Versions: Act Now

The following versions of Podman and Buildah are confirmed to be vulnerable to CVE-2024-1753:

• Buildah 1.35.0 and earlier
• Podman 4.9.3 and earlier

Patches [1, 2] have been released. All users of these tools are urged to update at the earliest opportunity to eliminate this critical risk.

Mitigation and Best Practices

While updating is the most definitive protection, the following can help reduce the risk:

• Enforce SELinux Controls: If SELinux is enabled and set to “enforcing” mode, it can limit potential damage from attacks.
• Adopt Principle of Least Privilege: Limit container access to only those resources necessary for its function.