CVE-2024-9407
📋 TL;DR
This vulnerability in Docker's RUN --mount instruction allows attackers to bypass input validation and mount arbitrary host directories into containers during build processes. It affects users building Docker images with untrusted Dockerfiles, potentially exposing sensitive host files. Even SELinux protections can be circumvented through directory relabeling.
💻 Affected Systems
- Docker Engine
- Docker BuildKit
- Red Hat Enterprise Linux
- Fedora
- CentOS Stream
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain read/write access to sensitive host directories (like /etc, /home, or SSH keys), leading to full host compromise, credential theft, or data exfiltration.
Likely Case
Unauthorized access to host files during container builds, potentially exposing configuration files, secrets, or application data.
If Mitigated
Limited impact with proper build environment isolation, trusted Dockerfiles only, and restricted build privileges.
🎯 Exploit Status
Exploitation requires ability to execute Docker builds with malicious Dockerfile content.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check Red Hat advisories RHSA-2024:10147, RHSA-2024:8846, RHSA-2024:9051, RHSA-2024:9454, RHSA-2024:9459 for specific versions.
Vendor Advisory: https://access.redhat.com/errata/RHSA-2024:10147
Restart Required: Yes
Instructions:
1. Update Docker Engine to patched version. 2. Update BuildKit if used separately. 3. Restart Docker service. 4. For Red Hat systems, apply relevant errata via 'yum update' or 'dnf update'.
🔧 Temporary Workarounds
Disable bind-propagation in Docker builds
linuxAvoid using RUN --mount with bind-propagation option in Dockerfiles.
# Review Dockerfiles and remove or modify RUN --mount instructions with bind-propagation
Use trusted Dockerfiles only
allRestrict Docker builds to verified, trusted Dockerfile sources.
# Implement source control and code review for Dockerfiles
🧯 If You Can't Patch
- Isolate Docker build environments from sensitive host directories using namespaces or virtual machines.
- Implement strict access controls and audit logs for Docker build processes to detect malicious activity.
🔍 How to Verify
Check if Vulnerable:
Check Docker version and if using RUN --mount with bind-propagation in Dockerfiles. Review Red Hat advisories for specific affected versions.Check Version:
docker versionVerify Fix Applied:
Verify Docker version is updated to patched release and test builds with previously vulnerable Dockerfiles no longer allow unauthorized mounts.📡 Detection & Monitoring
Log Indicators:
- Unusual mount operations in Docker build logs, especially with bind-propagation to sensitive paths.
Network Indicators:
- None - this is a local build-time vulnerability.
SIEM Query:
Search Docker logs for 'RUN --mount' with suspicious source directories like /etc, /home, or /root.🔗 References
- https://access.redhat.com/errata/RHSA-2024:10147
- https://access.redhat.com/errata/RHSA-2024:8846
- https://access.redhat.com/errata/RHSA-2024:9051
- https://access.redhat.com/errata/RHSA-2024:9454
- https://access.redhat.com/errata/RHSA-2024:9459
- https://access.redhat.com/errata/RHSA-2024:9926
- https://access.redhat.com/security/cve/CVE-2024-9407
- https://bugzilla.redhat.com/show_bug.cgi?id=2315887
- https://security.netapp.com/advisory/ntap-20241220-0010/
