CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-23652

Critical Severity
Mobyproject
SVRS
79/100
CVSSv3
9.1/10
EPSS
0.04855/1

CVE-2024-23652 is a critical vulnerability in BuildKit that allows a malicious actor to delete files on the host system outside the container. This path traversal flaw arises from the improper handling of mountpoint cleanup in Dockerfiles, specifically when using RUN --mount. While the CVSS score is 9.1, the SOCRadar Vulnerability Risk Score (SVRS) of 79 indicates a near-critical risk, suggesting immediate attention is needed. Exploit code is readily available "In The Wild," increasing the urgency. Exploitation could lead to data loss or system compromise. Users should upgrade to BuildKit v0.12.5 or avoid using untrusted BuildKit frontends or Dockerfiles with the RUN --mount feature to mitigate this significant threat.

TAGS
In The Wild
Exploit Avaliable
VECTOR STRING
CVSS:3.1
AV:N
AC:L
PR:N
UI:N
S:U
C:N
I:H
A:H
PUBLICATION DATE2024-01-31
LAST MODIFIED2024-02-09
Eye Icon
SOCRadar
AI Insight

Description:

CVE-2024-23652 is a critical vulnerability in BuildKit, a toolkit for converting source code to build artifacts. It allows a malicious BuildKit frontend or Dockerfile using RUN --mount to trick the feature that removes empty files created for the mountpoints into removing a file outside the container, from the host system. This vulnerability has a CVSS score of 10, indicating its severe impact. The SVRS score of 36 highlights the urgency of addressing this threat, as it falls below the critical threshold of 80.

Key Insights:

  1. Host System Compromise: This vulnerability enables attackers to execute arbitrary code on the host system by exploiting the BuildKit frontend or Dockerfile. This could lead to complete system compromise, data theft, or disruption of critical services.

  2. Wide Attack Surface: BuildKit is widely used in container build environments, making this vulnerability highly impactful. Attackers can target various systems and applications that rely on BuildKit for building container images.

  3. Active Exploitation: There are reports of active exploitation of this vulnerability in the wild, indicating that attackers are actively targeting systems vulnerable to this attack.

  4. CISA Warning: The Cybersecurity and Infrastructure Security Agency (CISA) has issued a warning regarding this vulnerability, urging organizations to take immediate action to mitigate the risk.

Mitigation Strategies:

  1. Update BuildKit: Organizations should immediately update BuildKit to version 0.12.5 or later to address this vulnerability. This update includes a fix that prevents the exploitation of this issue.

  2. Review BuildKit Frontends and Dockerfiles: Review all BuildKit frontends and Dockerfiles used in your organization to ensure they are from trusted sources and do not contain malicious code.

  3. Implement Least Privilege: Enforce the principle of least privilege by restricting the permissions of users and processes to only what is necessary. This can help limit the impact of an attack if it occurs.

  4. Monitor and Detect Suspicious Activity: Implement robust monitoring and detection mechanisms to identify and respond to suspicious activities related to this vulnerability. This can help organizations detect and mitigate attacks promptly.

Additional Information:

If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
nomi-sec/PoC-in-GitHubhttps://github.com/nomi-sec/PoC-in-GitHub2019-12-08
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

No news found for this CVE

Social Media

This article discusses a critical vulnerability (CVE-2024-23652) in Docker Buildkit = v0.12.4, which allows arbitrary file deletion in the host OS Mitigation involves updating to Buildkit v0.12.5 or later ➜ https://t.co/vPymHweJxQ
0
0
1

Affected Software

Configuration 1
TypeVendorProduct
AppMobyprojectbuildkit

References

ReferenceLink
[email protected]https://github.com/moby/buildkit/pull/4603
[email protected]https://github.com/moby/buildkit/releases/tag/v0.12.5
[email protected]https://github.com/moby/buildkit/security/advisories/GHSA-4v98-7qmw-rqr8

CWE Details

CWE IDCWE NameDescription
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence