Bug 2413190 (CVE-2024-25621)

Summary:	CVE-2024-25621 github.com/containerd/containerd: containerd local privilege escalation
Product:	[Other] Security Response	Reporter:	OSIDB Bzimport <bzimport>
Component:	vulnerability	Assignee:	Product Security DevOps Team <prodsec-dev>
Status:	NEW ---	QA Contact:
Severity:	high	Docs Contact:
Priority:	high
Version:	unspecified	CC:	adudiak, ahrabovs, akoudelk, alcohan, amctagga, anjoseph, anpicker, aoconnor, aprice, aucunnin, bbrownin, bdettelb, bniver, bparees, carogers, caswilli, crizzo, dfreiber, dhanak, doconnor, drosa, drow, dsimansk, dymurray, eglynn, erezende, fdeutsch, flucifre, gmeno, gparvin, groman, haoli, hasun, hkataria, ibolton, jajackso, jbalunas, jburrell, jcammara, jcantril, jfula, jjoyce, jkoehler, jmatthew, jmitchel, jmontleo, jneedle, jowilson, jprabhak, jsamir, jschluet, kaycoth, kegrant, kingland, koliveir, kshier, kverlaen, lball, lbragsta, lgamliel, lhh, ljawale, lphiri, lsvaty, luizcosta, mabashia, manissin, matzew, mbenjamin, mburns, mgarciac, mhackett, mnovotny, mstoklus, ngough, nweather, nyancey, oezr, ometelka, oramraz, owatkins, pahickey, pakotvan, pbohmill, pbraun, pgaikwad, pgrist, ptisnovs, rbobbitt, rfreiman, rhaigner, rjohnson, rojacob, sakbas, sausingh, sdawley, shvarugh, simaishi, slucidi, smcdonal, smullick, sostapov, sseago, stcannon, sthirugn, stirabos, syedriko, teagle, tfister, thason, thavo, vereddy, veshanka, vkumar, wenshen, whayutin, wtam, xdharmai, xiyuan, yguenane
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	---
Doc Text:	A local privilege escalation vulnerability has been discovered in containerd. This vulnerability is the result of an overly broad default permission which allows local users on the host to potentially access the metadata store, the content store and the contents of Kubernetes local volumes. The contents of volumes might include setuid binaries, which could allow a local user on the host to elevate privileges on the host.	Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	2418986, 2418987, 2418988, 2418990, 2418993, 2418995, 2418997, 2418998, 2418999, 2419000, 2419001, 2419002, 2419003, 2419007, 2419008, 2419009, 2419010, 2419011, 2419012, 2419013, 2419014, 2419018, 2419020, 2419021, 2419023, 2419024, 2419027, 2419028, 2419029, 2419030, 2419031, 2419032, 2419036, 2419037, 2419038, 2419039, 2419040, 2419045, 2419047, 2419049, 2419050, 2419062, 2419959, 2418984, 2418985, 2418989, 2418992, 2418994, 2418996, 2419004, 2419005, 2419006, 2419015, 2419016, 2419017, 2419019, 2419022, 2419025, 2419026, 2419033, 2419034, 2419035, 2419041, 2419042, 2419043, 2419044, 2419046, 2419048, 2419051, 2419425, 2419426, 2419427, 2419428, 2419429, 2419430, 2419431, 2419432, 2419433, 2419434, 2419435, 2419436, 2419437, 2419438, 2419439, 2419440, 2419441, 2419442, 2419443, 2419444, 2419445, 2419446, 2419447, 2419448, 2419449, 2419450, 2419451, 2419452
Bug Blocks:

Description OSIDB Bzimport 2025-11-06 19:01:43 UTC

containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode.