Helm Local Code Execution Vulnerability via Malicious Chart.yaml and Symlinked Chart.lock

A local code execution vulnerability exists in Helm versions prior to 3.18.4. This issue arises when a specially crafted Chart.yaml file is used in conjunction with a symlinked Chart.lock file. The vulnerability allows for the execution of arbitrary code when dependencies are updated. The exploitation involves crafting a Chart.yaml file that, when processed, executes code if the same content is placed in an executable file, such as a bash startup file or shell script. When the Chart.lock file is updated, it can overwrite the symlinked file with the malicious content, leading to unintended code execution.

Impact

Exploitation of this vulnerability allows for local code execution on the system where Helm is run.

Reproduction

To reproduce this vulnerability, create a malicious Chart.yaml file that includes arbitrary code. Then, replace the Chart.lock file with a symlink pointing to a sensitive file, such as .bashrc or another startup script. When the 'helm dependency update' command is executed, Helm will process the Chart.yaml file and write the payload to the file the symlink points to. This can be verified by checking the target file after the update command is run.

Remediation

Users should ensure that the Chart.lock file is not a symlink before updating dependencies. This vulnerability has been patched in Helm versions 3.18.4 and 3.17.4.