Bug 2262226 (CVE-2024-23653)

Summary: CVE-2024-23653 moby/buildkit: Buildkit's interactive containers API does not validate entitlements check
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: adudiak, bdettelb, brking, crizzo, dfreiber, dhanak, doconnor, drow, dsimansk, epacific, gkamathe, haoli, hkataria, jajackso, jburrell, jcammara, jhardy, jmitchel, jneedle, jobarker, jwendell, kegrant, kingland, koliveir, kshier, kverlaen, luizcosta, mabashia, matzew, mnovotny, nweather, omaciel, owatkins, pbraun, pierdipi, rcernich, rguimara, rhuss, sausingh, sdawley, shvarugh, simaishi, smcdonal, stcannon, teagle, tfister, thavo, tkral, twalsh, vkumar, yguenane, zmiele, zsadeh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: buildkit 0.12.5 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the Moby Builder Toolkit, specifically in the Interactive Containers API, where entitlement checks are not adequately validated, caused by a missing privilege check in a GRPC endpoint when called using a custom syntax format. This flaw allows the currently running privileged container to leverage its elevated privileges, such as full Linux capabilities, to break out of the container and achieve complete host root command execution. This issue may lead to container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (for example, when using FROM).
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2333131, 2333130    
Bug Blocks: 2258742    

Description TEJ RATHI 2024-02-01 09:56:46 UTC 
Docker Buildkit <= v0.12.4, as used by the Docker engine. The exploitation of this issue can result in container escape to the underlying host OS when building an image using a malicious Dockerfile or upstream image (i.e, when using FROM).

https://snyk.io/blog/cve-2024-23653-buildkit-grpc-securitymode-privilege-check/
https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g
https://github.com/moby/buildkit/pull/4602