Inspektor Gadget Command Injection Vulnerability in Image Build Subcommand

A command injection vulnerability has been identified in the Inspektor Gadget tool, specifically within the image building functionality of the 'ig' binary. This issue affects versions through 0.48.0. The vulnerability arises in the 'Makefile.build' template, which is used during the image creation process. User-controlled data is incorporated into the build commands without proper escaping, allowing an attacker to execute arbitrary commands. Exploitation of this vulnerability could lead to unauthorized command execution on the Linux host running the 'ig' command, or within the build container if the '--local' flag is not used.

Impact

Successful exploitation allows for arbitrary command execution on the host or within the build container, depending on the flags used during the image build process.

Reproduction

To reproduce this vulnerability, create a 'build.yaml' file that includes a crafted 'cflags' entry designed to inject a command, such as one that creates a file. Then, use the 'ig image build' command to initiate the image building process with the malicious 'build.yaml' file. If the 'poc.txt' file is created as a result, the vulnerability has been successfully exploited.

Remediation

Users are advised to update to Inspektor Gadget version 0.48.1, which removes the ability to customize CFLAGS in a way that could lead to command injection.