CVE-2024-1753: Podman/Buildah Vulnerability Allow Container Escapes
A serious vulnerability (CVE-2024-1753) has been discovered in the popular containerization tools Podman and Buildah. This flaw, rated as important with a CVSS score of 8.6, could allow attackers to escape the confines of a container during the build process and wreak havoc on the underlying host system.
Weakness in the Build: How the Exploit Works
The danger lies in how Podman and Buildah handle file mounts during the container creation phase. By crafting a malicious Containerfile, an attacker can trick the system into mounting the host system’s root filesystem directly within the container build environment.
“A flaw was found in Podman Build and Buildah which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time,” RedHat wrote in its security advisory.
This grants the attacker read-write access to the entire host system, opening the door to:
- Data theft and exfiltration
- Installation of further malware
- System-wide disruption and damage
Affected Versions: Act Now
The following versions of Podman and Buildah are confirmed to be vulnerable to CVE-2024-1753:
- Buildah 1.35.0 and earlier
- Podman 4.9.3 and earlier
Patches [1, 2] have been released. All users of these tools are urged to update at the earliest opportunity to eliminate this critical risk.
Mitigation and Best Practices
While updating is the most definitive protection, the following can help reduce the risk:
- Enforce SELinux Controls: If SELinux is enabled and set to “enforcing” mode, it can limit potential damage from attacks.
- Adopt Principle of Least Privilege: Limit container access to only those resources necessary for its function.