CVE-2015-5350 in Garden
Summary
by MITRE
In Garden versions 0.22.0-0.329.0, a vulnerability has been discovered in the garden-linux nstar executable that allows access to files on the host system. By staging an application on Cloud Foundry using Diego and Garden installations with a malicious custom buildpack an end user could read files on the host system that the BOSH-created vcap user has permissions to read and then package them into their app droplet.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 01/14/2020
The vulnerability CVE-2015-5350 represents a critical privilege escalation and information disclosure flaw within the Garden containerization system used by Cloud Foundry's Diego architecture. This issue affects Garden versions ranging from 0.22.0 through 0.329.0, specifically targeting the nstar executable component that handles file operations during containerized application staging. The vulnerability operates through a sophisticated attack vector that leverages the buildpack mechanism within Cloud Foundry's deployment pipeline, allowing malicious actors to exploit weaknesses in the container isolation model. The nstar executable, which is responsible for creating and managing container file systems, contains a flaw that permits unauthorized file access from the host system, creating a direct pathway for data exfiltration and system reconnaissance.
The technical implementation of this vulnerability stems from inadequate path validation and access control mechanisms within the garden-linux nstar executable. When users deploy applications through Cloud Foundry's Diego system using custom buildpacks, the system processes these buildpacks within containerized environments that should normally maintain strict isolation from the underlying host system. However, the flaw allows an attacker to manipulate file paths and access control lists in such a way that files accessible to the BOSH-created vcap user account can be read and incorporated into the application droplet. This represents a fundamental breakdown in container security boundaries, where the isolation between containerized processes and host system resources becomes compromised. The vulnerability specifically targets the way file operations are handled during the staging phase of application deployment, where the nstar utility fails to properly validate file access requests against the host system's permission model.
The operational impact of CVE-2015-5350 extends beyond simple information disclosure, creating a potential pathway for broader system compromise within Cloud Foundry environments. Attackers can leverage this vulnerability to access sensitive configuration files, credential stores, and system information that the vcap user account has permissions to read, potentially exposing database credentials, API keys, and other confidential data. The ability to package these read files into application droplets means that the attacker can effectively harvest sensitive information from the host system and then deploy it within legitimate application containers, making detection more difficult and allowing for persistent access patterns. This vulnerability particularly affects organizations using Cloud Foundry's Diego architecture for application deployment, where multiple applications may be running in containers that share the same underlying host infrastructure, creating a potential attack surface that could be exploited across multiple applications simultaneously.
Organizations affected by CVE-2015-5350 should implement immediate mitigations including upgrading to Garden versions that address this vulnerability, typically those beyond 0.329.0 where the nstar executable has been patched to properly validate file access operations and enforce strict isolation boundaries. Network segmentation and access control policies should be reviewed to limit the potential impact of compromised buildpacks, while monitoring systems should be enhanced to detect unusual file access patterns during application staging operations. The vulnerability aligns with CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-23 (Bad Path Traversal), indicating the core issue involves inadequate path validation that allows attackers to traverse file system boundaries. From an ATT&CK perspective, this vulnerability maps to T1059 (Command and Scripting Interpreter) and T1078 (Valid Accounts) as attackers can leverage legitimate user accounts to execute malicious operations within containerized environments. Security teams should also consider implementing buildpack whitelisting policies and container image scanning to prevent deployment of malicious buildpacks that could exploit this vulnerability.