Listen to this Post
The CVE-2024-3248 vulnerability is a privilege escalation flaw in LXD. It occurs in configurations where an unprivileged user on the host is a member of the ‘lxd’ group. Such a user can create a container with a custom storage volume that has the `security.shifted` property enabled. This property manages file ownership shifting between the host and container. A flaw in the permissions applied to these storage volumes allows a user with root access inside the container to create a setuid binary on the mounted volume. Because the directory permissions on the host are overly permissive, this malicious binary, created from within the container, is executable by the unprivileged user on the host. When executed on the host, the setuid binary runs with root privileges, granting the unprivileged user full root access to the host system.
Platform: LXD
Version: < 5.21.4, < 5.0.5, < 4.0.10
Vulnerability: Privilege Escalation
Severity: Critical
date: 2024-04-23
Prediction: Patch available
What Undercode Say:
`sudo nsenter –mount=/run/snapd/ns/lxd.mnt — chmod 0700 /var/snap/lxd/common/lxd/storage-pools//{custom,virtual-machines,images}`
`sudo nsenter –mount=/run/snapd/ns/lxd.mnt — chmod 0711 /var/snap/lxd/common/lxd/storage-pools//{containers,buckets}`
How Exploit:
Create shifted storage volume.
Deploy setuid binary.
Execute from host.
Protection from this CVE:
Apply available patches.
Execute workaround commands.
Restrict lxd group membership.
Impact:
Host Root Compromise
Container Escape
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
