CVE-2024-1753

Name of the Vulnerable Software and Affected Versions Buildah versions prior to the fixed version Podman versions prior to the fixed version

Description A flaw was found in Buildah and Podman, which allows containers to mount arbitrary locations on the host filesystem into build containers. A malicious Containerfile can use a dummy image with a symbolic link to the host filesystem as a mount source and cause the mount operation to mount the host filesystem during a build-time RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time. Users running containers with root privileges are impacted, allowing a container to run with read/write access to the host system files when selinux is not enabled. With selinux enabled, some read access is allowed.

Recommendations To resolve the issue, apply the patch to Buildah, which will then be vendored into Podman. Ensure selinux controls are in place to avoid compromising sensitive system files and systems. With "setenforce 0" set, the root file system is open for modification with this exploit. With "setenforce 1" set, files cannot be changed, but the contents of the / directory can be displayed. As a temporary workaround, consider disabling the build function in Podman and Buildah until a patch is available. Restrict access to the build command to minimize the risk of exploitation. Avoid using the --mount=type=bind option in the build command until the issue is resolved.