BuildKit Users Beware of New Race Condition Vulnerability

CVECVE-2024-23651
CVSScvssV3_1: 8.7
SourceCVE-2024-23651

BuildKit, an open source toolkit for building container images in Docker, was found to have a race condition vulnerability that could allow malicious build steps to access files from the host system.

BuildKit uses a shared cache to speed up the build process. However, researchers discovered that when multiple build steps access this cache simultaneously, a race condition can occur that gives one step unauthorized access to files outside the intended build context.

Attackers could craft a malicious Dockerfile containing build steps that intentionally cause a race condition. This would allow files on the host machine running BuildKit to be read or overwritten. Sensitive data like authentication credentials, source code or other proprietary files may be at risk.

The good news is BuildKit developers were notified and quickly released a fix in version 0.12.5. If you use BuildKit, be sure to update immediately.

As a precaution, only use BuildKit with Dockerfiles from trusted sources. And avoid sharing the cache mount between untrusted builds by not using the –mount flag.

Staying on top of software updates is key to protecting yourself from vulnerabilities like this. If you use BuildKit, vigilance around updating is advised. With simple steps like verifying Dockerfile sources, you can help prevent attackers from exploiting race conditions and accessing sensitive host system files.

References