Crun Escape Vulnerability in Krun Handler Allows Host File Modification

A vulnerability in crun, an open-source OCI container runtime written in C, allows a malicious container image to escape the root filesystem and create or modify files on the host. This issue affects crun versions through 1.19.1, with crun 1.20 being the patched version. The vulnerability arises in the krun handler, where the .krun_config.json file could be created outside of the container's root filesystem, potentially leading to unauthorized file changes on the host. Exploitation requires only the ability to write to the target file, with no special permissions needed.

Impact

Exploitation of this vulnerability allows for unauthorized file creation or modification on the host system, outside of the container's root filesystem.

Reproduction

The vulnerability can be reproduced by creating a symbolic link in a container image that points to a location on the host filesystem, such as the /tmp directory. This can be done by building a container image with a Dockerfile that includes the symlink, and then running the container with the krun runtime. After the container runs, the linked file will appear on the host, demonstrating the filesystem escape.

Remediation

Users are advised to upgrade to crun version 1.20, where this vulnerability has been fixed.