← back
CVE-2024-23653

BuildKit interactive containers API does not validate entitlements check

CVSS 9.8 CRITICALEPSS 3.0%CWE-863
In short

BuildKit's interactive containers API failed to properly check permissions, allowing attackers to run privileged containers without proper authorization. This is a critical flaw because it bypasses security controls that are meant to prevent unauthorized access to elevated privileges.

Technical detail

CVE-2024-23653 involves insufficient entitlements validation in BuildKit's interactive container APIs (CWE-863), permitting attackers to execute containers with elevated privileges despite the security.insecure entitlement being disabled at both buildkitd configuration and build request levels. The attack vector requires network access to a BuildKit instance and exploitation could grant complete system compromise. The fix is available in v0.12.5.

Summary generated and translated by AI from the official description.
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products
moby · buildkit
public PoCs found1
githubgithub.com/666asd/CVE-2024-236534
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/moby/buildkit/pull/4602https://github.com/moby/buildkit/releases/tag/v0.12.5https://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g