SB2024020229 - Multiple vulnerabilities in BuildKit
Published: February 2, 2024 Updated: December 19, 2024
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Security features bypass (CVE-ID: CVE-2024-21626)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to an internal file descriptor leak that can cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace or a malicious image to allow a container process to gain access to the host filesystem through runc run. A remote attacker can trick the victim into loading a malicious image to bypass sandbox restrictions and execute arbitrary code on the host OS.
2) Race condition (CVE-ID: CVE-2024-23651)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to a race condition. A remote attacker can exploit the race and cause the files from the host system being accessible to the build container.
3) Path traversal (CVE-ID: CVE-2024-23652)
The vulnerability allows a remote attacker to perform directory traversal attacks.
The vulnerability exists due to input validation error when processing directory traversal sequences within BuildKit frontend or Dockerfile using RUN --mount. A remote attacker can send a specially crafted HTTP request and read arbitrary files on the system.
4) Incorrect authorization (CVE-ID: CVE-2024-23653)
The vulnerability allows a remote attacker to bypass authorization checks.
The vulnerability exists due to interactive containers API does not validate entitlements check. A remote attacker can use these APIs to ask BuildKit to run a container with elevated privileges.
5) Improper Check for Unusual or Exceptional Conditions (CVE-ID: CVE-2024-23650)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper error handling. A remote attacker can send specially crafted data to the application and perform a denial of service (DoS) attack.
Remediation
Install update from vendor's website.
References
- https://github.com/moby/buildkit/releases/tag/v0.12.5
- https://github.com/moby/buildkit/security/advisories/GHSA-m3r6-h7wv-7xxv
- https://github.com/moby/buildkit/pull/4604
- https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8
- https://github.com/moby/buildkit/pull/4603
- https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g
- https://github.com/moby/buildkit/pull/4602
- https://github.com/moby/buildkit/security/advisories/GHSA-9p26-698r-w4hx
- https://github.com/moby/buildkit/pull/4601