Introduction
Container hosts running multi-tenant workloads risked privilege escalation due to a subtle but impactful permissions flaw in containerd. Local users could traverse and potentially access sensitive runtime directories, undermining container isolation and exposing metadata. containerd is a foundational open source container runtime, integral to Kubernetes and Docker, and is widely deployed across cloud and enterprise environments. Its security posture directly affects a significant portion of the global container infrastructure.
Technical Information
CVE-2024-25621 is a local privilege escalation vulnerability rooted in incorrect directory permissions within containerd. The vulnerability specifically concerns the creation of key runtime directories with overly permissive access rights. Instead of restricting access to the owner only (permission mode 0o700), affected versions created directories such as /var/lib/containerd with 0o711 and /run/containerd/io.containerd.grpc.v1.cri with 0o755. This allowed group and world users to traverse these directories, which could lead to unauthorized access to container metadata, runtime state, and potentially sensitive files.
Technical root cause:
-
The directory creation logic in containerd did not set restrictive permissions, violating the principle of least privilege. The permissions enabled any local user to traverse the directory trees, even if they could not list contents, which is a critical distinction in Unix permission models. This is classified as CWE-279 (Incorrect Execution-Assigned Permissions).
-
The affected directories include:
/var/lib/containerd/run/containerd/io.containerd.grpc.v1.cri/run/containerd/io.containerd.sandbox.controller.v1.shim
-
Attackers with local access could leverage this to enumerate or access files if filenames were known, or combine this flaw with other vulnerabilities for further escalation.
-
The issue affects containerd versions:
- 0.1.0 through 1.7.28
- 2.0.0-beta.0 through 2.0.6
- 2.1.0-beta.0 through 2.1.4
- 2.2.0-beta.0 through 2.2.0-rc.1
No code snippets are included as only permission mode changes were involved and no public vulnerable code blocks were provided in advisories.
Patch Information
To address the local privilege escalation vulnerability in containerd, the development team has implemented a series of patches aimed at tightening directory permissions to prevent unauthorized access.
Key Changes:
-
Restricting Directory Permissions: The permissions for critical directories have been adjusted to limit access strictly to authorized users.
-
/var/lib/containerd: Previously set with permission bits0o711, allowing broad access, this directory is now configured with0o700permissions. This change ensures that only the owner has read, write, and execute permissions, effectively preventing other users from accessing the metadata and content stores. -
/run/containerd/io.containerd.grpc.v1.cri: This directory, which was created with0o755permissions, has been updated to0o700. This adjustment restricts access to the owner, mitigating the risk of unauthorized users interacting with the CRI (Container Runtime Interface) socket.
-
Implementation Details:
The patches involve modifying the directory creation routines within the containerd codebase to set the appropriate permission bits at the time of directory creation. By ensuring that these directories are created with 0o700 permissions, the patches effectively limit access to the containerd daemon and its associated resources to the root user, thereby mitigating the risk of local privilege escalation.
Patch Availability:
These security patches have been incorporated into the following containerd versions:
- 2.2.0
- 2.1.5
- 2.0.7
- 1.7.29
Users are strongly encouraged to upgrade to these patched versions to secure their containerd installations against potential privilege escalation exploits.
Patch source: GHSA-pwhc-rpq9-4c8w
Affected Systems and Versions
- containerd versions 0.1.0 through 1.7.28
- containerd versions 2.0.0-beta.0 through 2.0.6
- containerd versions 2.1.0-beta.0 through 2.1.4
- containerd versions 2.2.0-beta.0 through 2.2.0-rc.1
Any installation using these versions with default directory permissions is vulnerable. The issue is present regardless of deployment environment (Kubernetes, Docker, standalone) if the affected directories are world or group accessible.
Vendor Security History
containerd has previously addressed similar permission-related vulnerabilities. Notably, CVE-2021-41103 involved insufficiently restricted permissions on container root directories, affecting versions before 1.4.11 and 1.5.7. The project has demonstrated a responsive patch process, releasing fixes and advisories in a timely manner. However, the recurrence of permission issues suggests ongoing challenges in enforcing least privilege across all code paths. containerd remains a CNCF graduated project with a strong community and active security response.
