Youki Container Runtime Container Escape Vulnerability via Masked Path Abuse

A container escape vulnerability has been identified in Youki, a container runtime written in Rust, affecting versions through 0.5.5. The issue arises from an insufficient initial validation of the source '/dev/null' when bind mounting it as a file mask for containers. This flaw allows the replacement of '/dev/null' with arbitrary files from the host system, exploiting a timing vulnerability between the validation and mounting processes.

Impact

Exploitation of this vulnerability allows for unauthorized access to the host system's file system, potentially leading to the manipulation or exposure of sensitive files or data.

Reproduction

To reproduce this vulnerability, create a symbolic link to a file on the host system and mount it as a masked path in a Youki container. The container can then access the file through the '/dev/null' interface, bypassing the intended isolation.

Remediation

Users can update to Youki version 0.5.7 or later, where this vulnerability has been fixed.