Host system modification in github.com/moby/buildkit

The core of this vulnerability lies in BuildKit's handling of mountpoints and the removal of empty files created during the build process. An attacker can craft a Dockerfile that leverages the RUN --mount instruction in a way that tricks BuildKit into believing a file outside the container's scope is an empty mountpoint. Consequently, BuildKit will attempt to delete this file from the host filesystem. This could allow an attacker to delete critical system files, configuration files, or other sensitive data, potentially leading to a complete system compromise. The blast radius extends to the entire host system, as any file accessible to the user running the Docker build is at risk. This vulnerability shares similarities with other container escape vulnerabilities where build processes are leveraged to interact with the host environment.

Organizations heavily reliant on Docker and BuildKit for their CI/CD pipelines are particularly at risk. This includes development teams using automated build processes, DevOps engineers managing container infrastructure, and anyone utilizing BuildKit for custom image building. Shared hosting environments where multiple users build Docker images on the same host are also at heightened risk, as a malicious Dockerfile from one user could potentially impact other users.

• go / buildkit: Monitor BuildKit logs for errors related to file deletion or mountpoint operations. Look for unusual patterns in the build process.

journalctl -u buildkitd -f | grep "delete file outside container" 

• generic web: Examine Docker build logs for suspicious RUN --mount commands.

grep "--mount" /var/log/docker.log

• linux / server: Auditd rules to monitor file deletion events, particularly within the Docker build context.

auditctl -w /path/to/docker/build/directory -p wa -k docker_build

1. 2024-02-12Disclosure

   disclosure

2. 2024-02-12Patch

   patch

1. Reserviert2024-01-19
2. Veröffentlicht2024-02-12
3. Geändert2026-02-04
4. EPSS aktualisiert2026-04-02

The primary mitigation for CVE-2024-23652 is to upgrade to BuildKit version 0.12.5 or later, which contains the fix for this issue. If upgrading immediately is not feasible, consider restricting the use of RUN --mount within Dockerfiles, especially in environments where untrusted Dockerfiles are built. Implement strict access controls on the host system to limit the potential impact of a successful attack. Monitor BuildKit logs for any unusual activity related to file deletion or mountpoint operations. While a WAF or proxy is unlikely to directly mitigate this, network segmentation can limit lateral movement if the host is compromised. After upgrading, verify the fix by attempting to build a Dockerfile containing a malicious RUN --mount instruction and confirming that no host files are deleted.