CVE-2020-2024 in Containers
Summary
by MITRE
An improper link resolution vulnerability affects Kata Containers versions prior to 1.11.0. Upon container teardown, a malicious guest can trick the kata-runtime into unmounting any mount point on the host and all mount points underneath it, potentiality resulting in a host DoS.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 10/18/2020
This vulnerability represents a critical improper link resolution flaw that impacts Kata Containers runtime environments prior to version 1.11.0. The issue stems from inadequate validation of symbolic link resolution during container teardown operations, creating a path traversal condition that allows malicious guest processes to manipulate host filesystem mount points. The vulnerability is classified under CWE-61, which specifically addresses improper resolution of symbolic links, making it a direct descendant of well-known path traversal attack vectors that have plagued containerized environments for years. The flaw exists in the kata-runtime component responsible for managing container lifecycle operations, particularly during the cleanup phase when containers are destroyed and their associated resources are released back to the host system.
The technical exploitation of this vulnerability occurs when a malicious guest process creates or manipulates symbolic links within the container filesystem during runtime. When the container teardown process begins, the kata-runtime performs link resolution without proper validation of the target paths, allowing an attacker to craft malicious symbolic links that point to arbitrary mount points on the host system. This improper resolution enables the runtime to traverse the filesystem hierarchy and unmount not just the intended container mount points but any mount point accessible from the host filesystem, including critical system directories and volumes. The vulnerability essentially allows for arbitrary mount point manipulation through controlled symbolic link resolution, bypassing normal access controls and filesystem permissions.
The operational impact of this vulnerability extends beyond simple privilege escalation, creating potential for significant system compromise and denial of service conditions. An attacker who gains access to a container can leverage this flaw to unmount critical host filesystems, potentially causing system instability or complete system crashes depending on which mount points are targeted. The DoS condition can be particularly devastating in production environments where containerized applications are deployed in mission-critical systems, as the unmounting of essential filesystems can bring down entire applications or services. This vulnerability also enables attackers to disrupt normal system operations by removing access to important system directories, effectively creating a sandbox escape condition that undermines the fundamental security isolation properties that containerization is designed to provide.
Mitigation strategies for this vulnerability should focus on immediate patching to Kata Containers version 1.11.0 or later, which includes proper symbolic link validation and path resolution controls. Organizations should implement comprehensive monitoring of container teardown operations and filesystem mount point changes to detect potential exploitation attempts. The fix addresses the root cause by implementing strict validation of symbolic link targets during mount point resolution, ensuring that only legitimate container mount points are processed during cleanup operations. Additionally, system administrators should consider implementing container runtime security policies that limit the ability of guest processes to create or manipulate symbolic links within container filesystems, leveraging mechanisms such as file system capabilities and access control lists to further restrict potential exploitation paths. This vulnerability demonstrates the critical importance of proper path validation in containerized environments and aligns with ATT&CK technique T1059.001 for command and scripting interpreter execution, as exploitation requires careful crafting of symbolic links to achieve the desired host-level filesystem manipulation.