Headline
GHSA-4g74-7cff-xcv8: youki container escape via "masked path" abuse due to mount race conditions
Impact
youki utilizes bind mounting the container’s /dev/null as a file mask. When performing this operation, the initial validation of the source /dev/null was insufficient. Specifically, we initially failed to verify whether /dev/null was genuinely present. However, we did perform validation to ensure that the /dev/null path existed within the container, including checking for symbolic links. Additionally, there was a vulnerability in the timing between validation and the actual mount operation.
As a result, by replacing /dev/null with a symbolic link, we can bind-mount arbitrary files from the host system.
This is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems. https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2
Credits
Thanks to Lei Wang (@ssst0n3 from Huawei) for finding and reporting the original runc’s vulnerability (Attack 1), and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering another attack vector in runc (Attack 2) based on @ssst0n3’s initial findings.
Also, @cyphar helped youki in finding the problem.
Impact
youki utilizes bind mounting the container’s /dev/null as a file mask. When performing this operation, the initial validation of the source /dev/null was insufficient. Specifically, we initially failed to verify whether /dev/null was genuinely present. However, we did perform validation to ensure that the /dev/null path existed within the container, including checking for symbolic links. Additionally, there was a vulnerability in the timing between validation and the actual mount operation.
As a result, by replacing /dev/null with a symbolic link, we can bind-mount arbitrary files from the host system.
This is a different project, but the core logic is similar to the CVE in runc. Issues were identified in runc, and verification was also conducted in youki to confirm the problems.
GHSA-9493-h29p-rfm2
Credits
Thanks to Lei Wang (@ssst0n3 from Huawei) for finding and reporting the original runc’s vulnerability (Attack 1), and Li Fubang (@lifubang from acmcoder.com, CIIC) for discovering another attack vector in runc (Attack 2) based on @ssst0n3’s initial findings.
Also, @cyphar helped youki in finding the problem.
References
- GHSA-9493-h29p-rfm2
- GHSA-4g74-7cff-xcv8
- youki-dev/youki@5886c91