CVE-2024-25621
📋 TL;DR
Containerd versions before 1.7.29, 2.0.7, 2.1.5, and 2.2.0 create critical directories with overly permissive access controls, allowing group/world read/write access. This vulnerability enables local users or processes to read, modify, or delete container runtime data. All systems running vulnerable containerd versions are affected.
💻 Affected Systems
- containerd
📦 What is this software?
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Containerd by Linuxfoundation
Containerd by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Privilege escalation to root via container escape, data exfiltration of sensitive container data, or denial of service by corrupting container runtime state.
Likely Case
Unauthorized access to container metadata, configuration files, or runtime artifacts by local users or compromised containers.
If Mitigated
Limited impact if proper access controls are enforced via workarounds or rootless mode.
🎯 Exploit Status
Exploitation requires local access to the host system but is straightforward once access is obtained.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7.29, 2.0.7, 2.1.5, 2.2.0
Vendor Advisory: https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w
Restart Required: Yes
Instructions:
1. Stop all containers and container workloads. 2. Update containerd to patched version using package manager (apt-get update && apt-get install containerd.io or yum update containerd.io). 3. Restart containerd service (systemctl restart containerd). 4. Verify version and directory permissions.
🔧 Temporary Workarounds
Manual Permission Correction
linuxManually set correct permissions on vulnerable directories to remove group/world access.
chmod 700 /var/lib/containerd
chmod 700 /run/containerd/io.containerd.grpc.v1.cri
chmod 700 /run/containerd/io.containerd.sandbox.controller.v1.shim
Rootless Mode
linuxRun containerd in rootless mode which isolates container runtime from host system.
Follow rootless documentation at https://github.com/containerd/containerd/blob/main/docs/rootless.md
🧯 If You Can't Patch
- Implement strict access controls and monitoring on containerd directories.
- Isolate containerd hosts and limit local user access to minimum necessary.
🔍 How to Verify
Check if Vulnerable:
Check directory permissions: ls -la /var/lib/containerd /run/containerd/io.containerd.grpc.v1.cri /run/containerd/io.containerd.sandbox.controller.v1.shim | grep '^d'Check Version:
containerd --versionVerify Fix Applied:
Verify directories have 700 permissions (drwx------) and containerd version is patched.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to containerd directories in audit logs
- Permission changes on containerd directories
Network Indicators:
- None - this is a local filesystem vulnerability
SIEM Query:
source="audit.log" AND (path="/var/lib/containerd/*" OR path="/run/containerd/*") AND (action="read" OR action="write" OR action="delete")