CVE-2024-24579 in stereoscope
Summary
by MITRE • 01/31/2024
stereoscope is a go library for processing container images and simulating a squash filesystem. Prior to version 0.0.1, it is possible to craft an OCI tar archive that, when stereoscope attempts to unarchive the contents, will result in writing to paths outside of the unarchive temporary directory. Specifically, use of `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct, or the higher level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function express this vulnerability. As a workaround, if you are using the OCI archive as input into stereoscope then you can switch to using an OCI layout by unarchiving the tar archive and provide the unarchived directory to stereoscope.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 02/22/2024
The vulnerability identified as CVE-2024-24579 affects the stereoscope go library, which is designed for processing container images and simulating squash filesystems. This library serves as a critical component in container image analysis and manipulation, making it a potential target for attackers seeking to exploit container image processing workflows. The flaw exists in versions prior to 0.0.1 and stems from improper handling of archive extraction operations, specifically within the library's tar archive processing functions. The vulnerability manifests when an attacker crafts a malicious OCI tar archive that can manipulate the extraction process to write files outside of the designated temporary directory, effectively bypassing intended security boundaries.
The technical implementation of this vulnerability lies within the `github.com/anchore/stereoscope/pkg/file.UntarToDirectory()` function, which processes tar archives without adequate validation of file paths contained within the archive. When the `github.com/anchore/stereoscope/pkg/image/oci.TarballImageProvider` struct or the higher-level `github.com/anchore/stereoscope/pkg/image.Image.Read()` function processes these archives, they inherit the insecure path handling behavior. This represents a classic path traversal vulnerability where symbolic links and absolute paths within tar archives are not properly sanitized before file creation operations. The vulnerability aligns with CWE-22 Path Traversal and can be categorized under ATT&CK technique T1059.007 Command and Scripting Interpreter: Unix Shell, as it enables arbitrary file system manipulation through the processing of container images. The flaw essentially allows an attacker to write files to arbitrary locations on the filesystem where the stereoscope library executes, potentially leading to privilege escalation or system compromise.
The operational impact of this vulnerability extends beyond simple file system manipulation, as it can be exploited in container image analysis workflows where stereoscope is used to process untrusted container images. Attackers could potentially overwrite critical system files, inject malicious code into the container image processing pipeline, or create backdoors within the system. The vulnerability is particularly concerning in automated security scanning environments where container images are processed without proper input validation. When used in security tools or CI/CD pipelines, this flaw could enable attackers to compromise the entire scanning infrastructure. The impact is amplified because stereoscope is commonly used in security contexts where it processes potentially malicious container images, making it a prime target for supply chain attacks or privilege escalation attempts. The vulnerability can be exploited in both local and remote scenarios where untrusted container images are processed through stereoscope's image reading functions.
The recommended mitigation strategy involves upgrading to version 0.0.1 or later where the path traversal vulnerability has been addressed through proper input validation and sanitization of file paths within tar archives. The workaround suggested in the advisory involves converting the problematic OCI tar archive into an OCI layout by manually unarchiving the tar file and providing the unarchived directory to stereoscope, which effectively bypasses the vulnerable code path. Organizations should implement proper input validation for all container image processing workflows and consider using container image scanning tools that have been updated to address this vulnerability. Security teams should also monitor for potential exploitation attempts in their container image processing pipelines and ensure that all container image analysis tools are kept up to date with the latest security patches. The fix addresses the core issue by implementing proper path validation and ensuring that all extracted files are confined to the intended temporary directory, preventing the escape mechanism that previously allowed arbitrary file system writes.