CRI-O Vulnerability: Restore Archive Attack

CVE-2024-8676

Summary

A significant vulnerability exists within CRI-O, where it inadequately handles the restoration of checkpoint archives for containers. During the restoration process, CRI-O erroneously prioritizes mounts from the restore archive over those declared in the pod specification. Consequently, this flaw creates a security gap, allowing a potentially malicious user, with access to the kubelet or CRI-O socket, to invoke the restore endpoint. By exploiting this vulnerability, the user can successfully restore a pod without proper authorization to the requested host mounts, thereby bypassing critical validations that would ordinarily prevent such actions. Organizations utilizing CRI-O should review their configurations and access controls to mitigate the risk associated with this vulnerability.

References