DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2024-39897: Zot's Dedupe Deception: How a Cache Feature Became an Authorization Bypass

#security #cve #cybersecurity

Zot's Dedupe Deception: How a Cache Feature Became an Authorization Bypass

Vulnerability ID: CVE-2024-39897
CVSS Score: 4.3
Published: 2024-07-09

Zot, an OCI image registry, contains a critical authorization bypass vulnerability in its blob deduplication feature. Prior to version 2.1.0, an authenticated attacker with access to a single repository could read any blob from any other repository on the same instance, provided they knew the blob's digest. The flaw stemmed from the global cache, which would happily serve up blobs without verifying if the user was authorized to access the blob's original source repository, effectively turning a storage optimization feature into a data exfiltration vector.

TL;DR

Zot's deduplication feature, enabled by default, allowed authenticated users to steal container image layers from private repositories. By requesting a known blob digest in a repository they did have access to, they could trick Zot into copying the restricted blob from a global cache, bypassing all access control policies.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-639
  • CWE Name: Authorization Bypass Through User-Controlled Key
  • Attack Vector: Network
  • Privileges Required: Low (Authenticated User)
  • CVSS 3.1 Score: 4.3 (Medium)
  • Impact: Low Confidentiality (Information Disclosure)
  • Exploit Status: Proof-of-Concept
  • KEV Status: Not Listed

Affected Systems

  • Zot OCI Image Registry
  • zot: < 2.1.0 (Fixed in: 2.1.0)

Code Analysis

Commit: aaee022

fix: apply authorization on dedupe's cache check

Mitigation Strategies

  • Upgrade Zot to version 2.1.0 or newer.
  • As a temporary workaround, disable the deduplication feature by setting "dedupe": false in the storage configuration. This will increase storage usage.
  • Implement strict, least-privilege access control policies for all repositories.
  • Monitor registry logs for unusual patterns of HEAD or mount requests across repositories from low-privilege users.

Remediation Steps:

  1. 1. Identify all Zot instances in your environment running a version prior to 2.1.0.
  2. 2. Schedule and perform an upgrade to version 2.1.0 or the latest stable release.
  3. 3. Verify that the upgrade was successful and the new version is running.
  4. 4. If upgrading is not immediately possible, apply the workaround by editing the Zot configuration file and setting "storage": { "dedupe": false }, then restart the Zot service.
  5. 5. Review access control lists (ACLs) to ensure they are correctly configured and no users have excessive permissions.

References

Read the full report for CVE-2024-39897 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)