CVE-2024-9341 Overview
A symlink attack vulnerability exists in the containers/common Go library that can lead to container escape when FIPS mode is enabled. When FIPS mode is active on the host system, container runtimes may incorrectly handle certain file paths due to improper validation in the subscriptions handling code. This flaw allows an attacker to exploit symbolic links and trick the system into mounting sensitive host directories inside a container, effectively bypassing the intended isolation between containers and the host system.
Critical Impact
This vulnerability enables attackers to escape container isolation and access critical host files, potentially compromising the entire container host infrastructure.
Affected Products
- Containers Common (Go library)
- Red Hat OpenShift Container Platform (versions 4.12 through 4.17)
- Red Hat Enterprise Linux 8.0 and 9.0
Discovery Timeline
- October 1, 2024 - CVE-2024-9341 published to NVD
- December 11, 2024 - Last updated in NVD database
Technical Details for CVE-2024-9341
Vulnerability Analysis
The vulnerability resides in the subscriptions handling functionality within the containers/common Go library, specifically in the subscriptions.go file. When FIPS (Federal Information Processing Standards) mode is enabled on the host system, the library's path validation logic fails to properly sanitize file paths before processing mount operations.
This improper link resolution allows an attacker with control over container contents to craft malicious symbolic links that point to sensitive host filesystem locations. When the container runtime processes these paths during container startup or subscription mounting operations, it follows the symlinks without proper validation, resulting in unintended host directories being mounted inside the container.
The vulnerability is classified under CWE-59 (Improper Link Resolution Before File Access), which describes scenarios where a program attempts to access a file based on user-controlled input, but fails to properly neutralize special elements within the pathname that could resolve to a location outside the intended restricted directory.
Root Cause
The root cause lies in insufficient path validation within the subscription mounting logic. The vulnerable code paths can be found at line 169 and line 349 of the subscriptions.go file in the containers/common repository.
The code fails to properly resolve and validate symbolic links before performing file operations, particularly when FIPS mode alters the expected behavior of path resolution. This allows attackers to use symlinks to traverse outside the intended container filesystem boundaries.
Attack Vector
The attack requires network access and user interaction to exploit. An attacker must be able to influence the contents of a container image or have execution capabilities within a running container. The attack scenario involves:
- Creating a malicious symbolic link within the container filesystem pointing to a sensitive host path (e.g., /etc/shadow, /etc/kubernetes)
- Triggering the vulnerable subscription mounting code path while FIPS mode is enabled
- The container runtime follows the symlink without proper validation, mounting the target host directory into the container
- The attacker gains read (and potentially write) access to sensitive host files from within the container
The attack has a changed scope, meaning successful exploitation affects resources beyond the vulnerable component's security scope, specifically compromising host system confidentiality.
Detection Methods for CVE-2024-9341
Indicators of Compromise
- Unexpected symbolic links within container filesystems pointing to host system paths such as /etc, /var, or /root
- Container processes accessing files outside their expected namespace or cgroup boundaries
- Anomalous file access patterns from container runtimes involving sensitive host directories
- Audit logs showing mount operations that reference paths outside container storage
Detection Strategies
- Enable container runtime auditing to monitor for suspicious mount operations and symlink resolution events
- Implement file integrity monitoring on critical host system directories to detect unauthorized access from container contexts
- Deploy runtime security tools that can detect container escape attempts and policy violations
- Monitor for containers attempting to access FIPS-mode specific configuration files on the host
Monitoring Recommendations
- Configure SELinux or AppArmor policies to restrict container access to host filesystem paths and alert on policy violations
- Implement continuous monitoring of container runtime logs for path traversal patterns and unusual symlink resolution
- Use SentinelOne Singularity for Cloud to detect anomalous container behavior and potential escape attempts in real-time
How to Mitigate CVE-2024-9341
Immediate Actions Required
- Update containers/common library to the latest patched version as soon as patches are available
- Apply Red Hat security advisories for affected OpenShift Container Platform and RHEL installations
- Review container images for suspicious symbolic links before deployment
- Consider temporarily disabling FIPS mode if not strictly required until patches are applied
Patch Information
Red Hat has released multiple security advisories addressing this vulnerability across their product portfolio. Organizations should apply the appropriate patches based on their deployed products:
- RHSA-2024:7925 - Initial security update
- RHSA-2024:8039 - OpenShift Container Platform update
- RHSA-2024:8112 - Additional platform patches
- RHSA-2024:9454 - RHEL 9 updates
- RHSA-2024:9459 - Additional RHEL updates
- RHSA-2024:10147 - Latest consolidated update
- RHSA-2024:10818 - Most recent advisory
For complete details, refer to the Red Hat CVE Report for CVE-2024-9341 and Red Hat Bug Report #2315691.
Workarounds
- Implement strict image scanning policies to detect and block container images containing suspicious symbolic links before deployment
- Deploy additional container isolation mechanisms such as gVisor or Kata Containers to provide an additional security boundary
- Use seccomp profiles to restrict syscalls that could be used for symlink-based attacks within containers
- Enforce read-only root filesystems for containers where possible to prevent runtime creation of malicious symlinks
# Example: Restrict container capabilities and enable read-only root filesystem
podman run --cap-drop=ALL --read-only --security-opt=no-new-privileges \
--security-opt seccomp=/path/to/custom-seccomp.json \
your-container-image
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
