Host `docker` binary overwrite from Kata VM

Disclosed by
  • Program Undisclosed
  • Disclosed date over 3 years ago
  • Points 40
  • Priority P1 Bugcrowd's VRT priority rating
  • Status Resolved This vulnerability has been accepted and fixed
Summary by ajxchapman

Kata Containers, as used in the new BitBucket Pipelines CI/CD environment, was found to be vulnerable to an issue allowing Kata VMs to write to hostPath mount points which should have been read only. This issue was fixed in the Kata Containers project and assigned CVE-2020-28914.

Report details
  • Submitted

  • Target Location

    Bitbucket Attack Scenarios listed below
  • Target category

    Web App

  • VRT

    Server-Side Injection > Remote Code Execution (RCE)
  • Priority

  • Bug URL
  • Description

    Hi Team,

    I have managed to overwrite the host docker binary (possibly /usr/bin/docker) from within a Kata VM. Unfortunately I had an error in my PoC which meant that I corrupted the original docker binary. I have since managed to replace the binary with a newer version of docker, so things in the Kata environment should continue to work (I hope).

    I will get a report written up today, but unfortunately I have to take a break for childcare right now. I just wanted to give you a heads up that any weirdness you see in the Kata environment is probably my fault.