Bug 2302259 (CVE-2024-7387)

Summary: CVE-2024-7387 openshift/builder: Path traversal allows command injection in privileged BuildContainer using docker build strategy
Product: [Other] Security Response Reporter: Michal Findra <mfindra>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: asdas, bmontgom, dpaolell, eparis, jburrell, jdelft, jupierce, lgarciaa, mbiarnes, nstielau, rgertzbe, rpattath, rsidhart, security-response-team, sidsharm, sponnaga, talessio, vlaad, ximhan, yuxzhu, zmiele
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in openshift/builder. This vulnerability allows command injection via path traversal, where a malicious user can execute arbitrary commands on the OpenShift node running the builder container. When using the “Docker” strategy, executable files inside the privileged build container can be overridden using the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. An attacker running code in a privileged container could escalate their permissions on the node running the container.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Deadline: 2024-09-16   

Description Michal Findra 2024-08-01 15:25:12 UTC 
`OpenShift` allows a user to create his own images with the help of the build component. This component has three primary build strategies available ([Docu - Understanding image builds](https://docs.openshift.com/container-platform/4.16/cicd/builds/understanding-image-builds.html)):

* Docker build
* Source-to-Image (S2I) build
* Custom build

As the builds are running in a privileged container, a vulnerability in this process allows an attacker to escalate their permissions on the cluster and host nodes.

The `custom build` is not safe, because they can execute any code within a privileged container and are disabled by default.
The other two strategies are considered as safe and are enabled for all users that can create builds. 

But there is a note about the `docker strategy`:

>  Grant docker build permissions with caution, because a vulnerability in the Dockerfile processing logic could result in a privileges being granted on the host node.

See: https://docs.openshift.com/container-platform/4.16/cicd/builds/securing-builds-by-strategy.html


The `docker strategy` / the image used during the build has a vulnerability, which allows an attacker to override files inside the privileged build container with the help of the `spec.source.secrets.secret.destinationDir` attribute of the `BuildConfig` definition. After overriding the binary, execution of this overriden file can be triggered with another secret and the malicious code is executed in the privileged container.  

As stated above, running code in a privileged container allows an attacker to escalate their permissions on the cluster and host nodes. As an example the host filesystem of the worker node can be mounted and a new `SSH` key can be added to user `core` of the `Red Hat Enterprise Linux CoreOS (RHCOS)`.
Comment 1 errata-xmlrpc 2024-09-19 00:12:38 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:6691 https://access.redhat.com/errata/RHSA-2024:6691
Comment 2 errata-xmlrpc 2024-09-19 05:30:44 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:6689 https://access.redhat.com/errata/RHSA-2024:6689
Comment 3 errata-xmlrpc 2024-09-19 05:39:00 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.16

Via RHSA-2024:6687 https://access.redhat.com/errata/RHSA-2024:6687
Comment 4 errata-xmlrpc 2024-09-19 09:30:51 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2024:6685 https://access.redhat.com/errata/RHSA-2024:6685
Comment 5 errata-xmlrpc 2024-09-19 13:25:43 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:6705 https://access.redhat.com/errata/RHSA-2024:6705