CVE-2021-33635
📋 TL;DR
CVE-2021-33635 is a critical vulnerability in iSulad container runtime where pulling malicious container images can lead to arbitrary code execution. Attackers can craft malicious images that trigger the vulnerability during the pull operation. This affects systems using iSulad container runtime with vulnerable versions.
💻 Affected Systems
- iSulad container runtime
📦 What is this software?
Isula by Openeuler
Isula by Openeuler
Isula by Openeuler
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise with root-level code execution, allowing attackers to install persistent backdoors, exfiltrate sensitive data, or pivot to other systems.
Likely Case
Container escape leading to host system compromise, enabling attackers to access other containers, steal credentials, or deploy cryptocurrency miners.
If Mitigated
Limited impact if proper network segmentation, least privilege principles, and image signing verification are implemented.
🎯 Exploit Status
Exploitation requires the attacker to create a malicious container image and convince the target to pull it. The vulnerability is in the image processing logic during pull operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in openEuler security updates (refer to openEuler-SA-2023-1686)
Vendor Advisory: https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
Restart Required: Yes
Instructions:
1. Update iSulad package using your package manager (yum/dnf update iSulad). 2. Restart the iSulad service. 3. Verify the update was successful.
🔧 Temporary Workarounds
Restrict image sources
linuxConfigure iSulad to only pull images from trusted, internal registries with image signing verification enabled.
Configure iSulad daemon.json to restrict registries and enable content trust
Network segmentation
allIsolate container runtime systems from untrusted networks and implement strict egress filtering.
🧯 If You Can't Patch
- Implement strict image signing policies and only allow signed images from trusted sources
- Monitor and audit all image pull operations for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check iSulad version and compare against patched versions in openEuler security advisory.Check Version:
isula version | grep -i versionVerify Fix Applied:
Verify iSulad version is updated to patched version and test pulling known safe images.📡 Detection & Monitoring
Log Indicators:
- Unusual image pull operations from untrusted sources
- Failed image signature verification attempts
- Unexpected process execution following image pulls
Network Indicators:
- Connections to unknown container registries
- Unusual outbound traffic patterns after image pulls
SIEM Query:
source="iSulad" AND (event="pull" OR event="image") AND (registry="*untrusted*" OR signature="failed")🔗 References
- https://gitee.com/src-openeuler/iSulad/pulls/600/files
- https://gitee.com/src-openeuler/iSulad/pulls/627/files
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
- https://gitee.com/src-openeuler/iSulad/pulls/600/files
- https://gitee.com/src-openeuler/iSulad/pulls/627/files
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2023-1686
