Podman Buildah Vulnerability - 20240408004¶
Overview¶
A flaw has been found in Buildah (and subsequently Podman Build) which allows containers to mount arbitrary locations on the host filesystem into build containers, which when run with malicious commands allows read-write access to the host filesystem and allows full container escape at build time.
What is vulnerable?¶
| CVE | Severity | CVSS | Product(s) Affected | Summary | Dated |
|---|---|---|---|---|---|
| CVE-2024-1753 | High | 8.6 | Podman versions: v4.0->v4.9.3, and v5.0 buildah versions: 1.35.0 through and including v1.24.0 |
A malicious Containerfile can use a dummy image with a symbolic link to the root filesystem as a mount source and cause the mount operation to mount the host root filesystem inside the RUN step. The commands inside the RUN step will then have read-write access to the host filesystem, allowing for full container escape at build time. | 04/02/2024 |
Recommendation¶
The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of one month... (refer Patch Management):
-
It is recommended to update Podman or Buildah version to the latest available or one of the below patched versions:
-
Buildah version: 1.35.1, 1.34.3, 1.33.7, 1.32.3, 1.31.5, 1.29.3, 1.27.4 or 1.24.7
-
Podman version: v4.9.4 or v5.0.1
-
Additional References¶
- CVE-2024-1753 container escape at build time - Advisory - containers/podman (github.com)
- CVE-2024-1753 container escape at build time - Advisory - containers/buildah (github.com)
- NVD - CVE-2024-1753 (nist.gov)
- (CVE-2024-1753) CVE-2024-1753 buildah: full container escape at build time (redhat.com)
- CVE-2024-1753- Red Hat Customer Portal