DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2024-23653: CVE-2024-23653: Build-Time Container Escape in Moby BuildKit via GRPC API Authorization Bypass

#security #cve #cybersecurity

CVE-2024-23653: Build-Time Container Escape in Moby BuildKit via GRPC API Authorization Bypass

Vulnerability ID: CVE-2024-23653
CVSS Score: 9.8
Published: 2024-01-31

Moby BuildKit versions prior to 0.12.5 contain a critical authorization bypass vulnerability (CWE-863) within the interactive containers GRPC Gateway API. A maliciously crafted Dockerfile using a custom frontend can bypass entitlement checks to launch a privileged container, resulting in a build-time escape and full host root command execution.

TL;DR

A missing authorization check in BuildKit's GRPC Gateway API allows malicious custom frontends to spawn highly privileged containers during the build process, enabling host root code execution.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-863 (Incorrect Authorization)
  • Attack Vector: Network
  • CVSS Score: 9.8
  • EPSS Score: 10.30%
  • Impact: Build-Time Container Escape / RCE
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Moby BuildKit
  • Docker Engine
  • Docker Desktop
  • Container CI/CD Pipelines
  • Moby BuildKit: < 0.12.5 (Fixed in: 0.12.5)

Code Analysis

Commit: 5026d95

Refactoring for Privilege Separation, decoupling Worker execution from the frontend Gateway to restrict internal access.

Commit: 92cc595

Entitlement Validation in Interactive API, introducing validateEntitlements in llbBridge to verify Container.Start requests.

Mitigation Strategies

  • Upgrade BuildKit to 0.12.5 or later.
  • Update integrated container tools (Docker Engine, Docker Desktop).
  • Restrict untrusted # syntax= directives in CI environments.
  • Deploy eBPF-based runtime monitoring to detect privileged container spawns via GRPC API.

Remediation Steps:

  1. Audit the environment for active instances of BuildKit prior to 0.12.5.
  2. Upgrade the BuildKit binaries or deploy vendor-patched versions of Docker.
  3. Restart the build daemon services to apply the updated binary logic.
  4. Configure static CI checks to block Dockerfiles attempting to load non-whitelisted frontends.

References

Read the full report for CVE-2024-23653 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)