Platform
go
Component
github.com/moby/buildkit
Fixed in
0.12.6
0.12.5
CVE-2024-23652 is a critical vulnerability affecting BuildKit, the build engine for Docker. A malicious frontend or Dockerfile utilizing the RUN --mount instruction can exploit a flaw in the empty file removal feature, leading to unintended deletion of files on the host system. This vulnerability impacts versions of BuildKit prior to 0.12.5 and requires immediate attention to prevent potential host compromise. A fix has been released in version 0.12.5.
The core of this vulnerability lies in BuildKit's handling of mountpoints and the removal of empty files created during the build process. An attacker can craft a Dockerfile that leverages the RUN --mount instruction in a way that tricks BuildKit into believing a file outside the container's scope is an empty mountpoint. Consequently, BuildKit will attempt to delete this file from the host filesystem. This could allow an attacker to delete critical system files, configuration files, or other sensitive data, potentially leading to a complete system compromise. The blast radius extends to the entire host system, as any file accessible to the user running the Docker build is at risk. This vulnerability shares similarities with other container escape vulnerabilities where build processes are leveraged to interact with the host environment.
CVE-2024-23652 was publicly disclosed on February 12, 2024. It is not currently listed on the CISA KEV catalog, and the EPSS score is pending evaluation. While no public proof-of-concept (PoC) exploits have been widely released, the vulnerability's critical severity and potential for host compromise suggest a high likelihood of exploitation if a PoC is developed. Active campaigns targeting this vulnerability are not currently confirmed, but the ease of exploitation once a PoC is available warrants close monitoring.
Exploit Status
EPSS
5.70% (90% percentile)
CVSS Vector
The primary mitigation for CVE-2024-23652 is to upgrade to BuildKit version 0.12.5 or later, which contains the fix for this issue. If upgrading immediately is not feasible, consider restricting the use of RUN --mount within Dockerfiles, especially in environments where untrusted Dockerfiles are built. Implement strict access controls on the host system to limit the potential impact of a successful attack. Monitor BuildKit logs for any unusual activity related to file deletion or mountpoint operations. While a WAF or proxy is unlikely to directly mitigate this, network segmentation can limit lateral movement if the host is compromised. After upgrading, verify the fix by attempting to build a Dockerfile containing a malicious RUN --mount instruction and confirming that no host files are deleted.
Update BuildKit to version 0.12.5 or higher. Avoid using BuildKit frontends from untrusted sources or building untrusted Dockerfiles that contain the RUN --mount feature. This mitigates the risk of unauthorized access to the host system.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-23652 is a critical vulnerability in BuildKit that allows malicious Dockerfiles to delete files on the host system through the RUN --mount instruction, impacting versions before 0.12.5.
You are affected if you are using BuildKit versions prior to 0.12.5 and are building Docker images, especially with untrusted Dockerfiles or in shared environments.
Upgrade to BuildKit version 0.12.5 or later to mitigate the vulnerability. Consider restricting the use of RUN --mount if immediate upgrade is not possible.
While no active campaigns are confirmed, the vulnerability's severity and potential for host compromise suggest a high risk of exploitation if a PoC is developed.
Refer to the official BuildKit security advisory for detailed information and updates: https://github.com/moby/buildkit/security/advisories/GHSA-799w-5594-349x
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your go.mod file and we'll tell you instantly if you're affected.