GHSA-rh99-wc69-c255: Contras Affected by CopyFile Policy Subversion via Symlinks
The Kata agent policies generated by the Contrast CLI had an issue in the CopyFile verification, which allowed arbitrary writes to the guest root filesytem. A malicious process on the host with the capability to connect to the Kata agent VSOCK could connect to the agent and issue a series of CopyFile requests to overwrite security-critical files or trick the workload into disclosing sensitive data, which effectively amounts to a full guest takeover.
References
- gist.github.com/burgerdev/304dd0ab0fff1665b7c27e18a30cf96e
- github.com/advisories/GHSA-rh99-wc69-c255
- github.com/edgelesssys/contrast
- github.com/edgelesssys/contrast/releases/tag/v1.19.1
- github.com/edgelesssys/contrast/security/advisories/GHSA-rh99-wc69-c255
- github.com/kata-containers/kata-containers/security/advisories/GHSA-q49m-57vm-c8cc
Code Behaviors & Features
Detect and mitigate GHSA-rh99-wc69-c255 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →