Описание
youki container escape via "masked path" abuse due to mount race conditions
Impact
youki utilizes bind mounting the container's /dev/null as a file mask. When performing this operation, the initial validation of the source /dev/null was insufficient. Specifically, we initially failed to verify whether /dev/null was genuinely present. However, we did perform validation to ensure that the /dev/null path existed within the container, including checking for symbolic links. Additionally, there was a vulnerability in the timing between validation and the actual mount operation.
As a result, by replacing /dev/null with a symbolic link, we can bind-mount arbitrary files from the host system.
This is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems. https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
Credits
Thanks to Lei Wang (@ssst0n3 from Huawei) for finding and reporting the original runc's vulnerability (Attack 1), and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering another attack vector in runc (Attack 2) based on @ssst0n3's initial findings.
Also, @cyphar helped youki in finding the problem.
Пакеты
youki
< 0.5.7
0.5.7
EPSS
7.3 High
CVSS4
10 Critical
CVSS3
CVE ID
Дефекты
Связанные уязвимости
Youki is a container runtime written in Rust. In versions 0.5.6 and below, the initial validation of the source /dev/null is insufficient, allowing container escape when youki utilizes bind mounting the container's /dev/null as a file mask. This issue is fixed in version 0.5.7.
EPSS
7.3 High
CVSS4
10 Critical
CVSS3