A high-severity vulnerability has been discovered in Podman and Buildah, popular containerization tools. The flaw, tracked as CVE-2024-11218 and assigned a CVSS score of 8.6, could allow attackers to break out of containers and access sensitive information on the host system.
The vulnerability stems from a race condition that occurs when building a malicious Containerfile using the –jobs=2 flag. This allows attackers to exploit the –mount flag in RUN instructions to expose content from the host to the container.
“With careful use of the –mount flag in RUN instructions in Containerfiles, and by using either multi-stage builds with use of concurrently-executing build stages (e.g., using the –jobs CLI flag) or multiple separate but concurrently-executing builds, a malicious Containerfile can be used to expose content from the build host to the command being run using the RUN instruction,” the security advisory explains.
Even with SELinux enabled, attackers may still be able to enumerate files and directories on the host system.
This vulnerability could have significant consequences, particularly when the build process is running as a root-owned podman system service. Attackers could potentially gain access to sensitive data, including setuid executables, and escalate their privileges on the host.
The maintainers of Podman and Buildah have released patches to address this vulnerability. Users are strongly encouraged to update their installations to the latest versions as soon as possible.
Patches have been merged to the main branch, and will be added to upcoming releases on the release-1.38, release-1.37, release-1.35, and release-1.33 branches.
In the meantime, enabling mandatory access controls can help limit the impact of this vulnerability. “Mandatory access controls should limit the access of the process performing the build, on systems where they are enabled.”
