How the CVE Works:
CVE-2024-3158 exploits Helm’s chart archive processing by crafting a malicious `.tgz` file with extreme compression ratios. When Helm decompresses the archive, the uncompressed size exceeds available memory due to embedded recursive or highly repetitive data patterns. This triggers an uncontrolled memory allocation loop, leading to OOM crashes. Attackers can abuse this to disrupt CI/CD pipelines or Kubernetes deployments relying on Helm. The vulnerability stems from insufficient validation of decompressed file sizes before memory allocation.
DailyCVE Form:
Platform: Helm
Version: <3.17.3
Vulnerability: Memory exhaustion
Severity: Critical
Date: 2024-04-10
What Undercode Say:
Exploitation:
- Craft a malicious chart with `tar –format=gnu -czvf exploit.tgz /dev/zero` (Linux) or similar tools to generate a high-ratio archive.
- Host the chart in a repo or share via
helm install ./exploit.tgz.
Detection:
Check Helm version: helm version --short | grep -q "v3.17.[0-2]" && echo "Vulnerable"
Mitigation:
1. Upgrade immediately:
curl -fsSL https://raw.githubusercontent.com/helm/helm/main/scripts/get-helm-3 | bash -s -- --version v3.17.3
2. Restrict chart sources:
Kubernetes Admission Controller rule to block untrusted repos: apiVersion: admissionregistration.k8s.io/v1 kind: ValidatingWebhookConfiguration rules: - operations: ["CREATE"] apiGroups: ["helm.sh"]
Code Fix (Go):
// Patch: Add size validation in pkg/chart/loader/load.go
func loadArchiveFiles(in io.Reader) ([]loader.BufferedFile, error) {
maxSize := int64(1 << 30) // 1GB cap
if decompressedSize > maxSize {
return nil, errors.New("chart exceeds max allowed size")
}
}
Analytics:
- CVSS: 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H)
- Attack Vector: Remote via malicious charts
- PoC Complexity: Low (no ASLR bypass needed)
Monitoring Command:
Log OOM events in Kubernetes: kubectl get events --field-selector=reason=OOMKilled -A
References:
Reported By: https://github.com/advisories/GHSA-4hfp-h4cw-hj8p
Extra Source Hub:
Undercode
