CVE-2024-9341
📋 TL;DR
This vulnerability in Go's containers/common library allows attackers to exploit symbolic links when FIPS mode is enabled, potentially mounting sensitive host directories inside containers. This bypasses container isolation and could allow access to critical host files. Affected systems are those running container runtimes with FIPS mode enabled.
💻 Affected Systems
- container runtimes using containers/common library (Podman, CRI-O, Buildah)
- Red Hat Enterprise Linux
- Fedora
- CentOS Stream
📦 What is this software?
Common by Containers
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain read/write access to sensitive host files like /etc/passwd, /etc/shadow, or Kubernetes secrets, potentially leading to full host compromise.
Likely Case
Attackers access container host files they shouldn't have access to, potentially stealing credentials, configuration files, or sensitive data.
If Mitigated
With proper container security policies and host hardening, impact is limited to specific mounted directories rather than full host access.
🎯 Exploit Status
Requires attacker to have some level of container access and ability to create/manipulate symbolic links. FIPS mode must be enabled.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: containers/common v0.58.2 or later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:10147
Restart Required: Yes
Instructions:
1. Update containers/common package to v0.58.2 or later. 2. Update container runtime (Podman/CRI-O) to versions containing the fix. 3. Restart container runtime services. 4. Rebuild any affected containers.
🔧 Temporary Workarounds
Disable FIPS mode
linuxTemporarily disable FIPS mode if not required for compliance
fips-mode-setup --disable
systemctl reboot
Restrict container capabilities
linuxRemove CAP_SYS_ADMIN and other unnecessary capabilities from containers
podman run --cap-drop=ALL --cap-add=...
docker run --cap-drop=ALL --cap-add=...
🧯 If You Can't Patch
- Implement strict container security policies using SELinux/AppArmor
- Monitor for suspicious container activities and file access patterns
🔍 How to Verify
Check if Vulnerable:
Check if FIPS mode is enabled: 'fips-mode-setup --check' and check containers/common version: 'rpm -q containers-common'Check Version:
rpm -q containers-common && fips-mode-setup --checkVerify Fix Applied:
Verify containers/common version is v0.58.2 or later: 'rpm -q containers-common | grep 0.58.2'📡 Detection & Monitoring
Log Indicators:
- Unusual container mount operations
- Access to host paths from containers
- Symbolic link creation in container volumes
Network Indicators:
- N/A - Local vulnerability
SIEM Query:
container.runtime:* AND (event.action:"mount" OR event.action:"symlink") AND host.path:"/etc/*"🔗 References
- https://access.redhat.com/errata/RHSA-2024:10147
- https://access.redhat.com/errata/RHSA-2024:10818
- https://access.redhat.com/errata/RHSA-2024:7925
- https://access.redhat.com/errata/RHSA-2024:8039
- https://access.redhat.com/errata/RHSA-2024:8112
- https://access.redhat.com/errata/RHSA-2024:8238
- https://access.redhat.com/errata/RHSA-2024:8263
- https://access.redhat.com/errata/RHSA-2024:8428
- https://access.redhat.com/errata/RHSA-2024:8690
- https://access.redhat.com/errata/RHSA-2024:8694
- https://access.redhat.com/errata/RHSA-2024:8846
- https://access.redhat.com/errata/RHSA-2024:9454
- https://access.redhat.com/errata/RHSA-2024:9459
- https://access.redhat.com/security/cve/CVE-2024-9341
- https://bugzilla.redhat.com/show_bug.cgi?id=2315691
- https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L169
- https://github.com/containers/common/blob/384f77532f67afc8a73d8e0c4adb0d195df57714/pkg/subscriptions/subscriptions.go#L349
