Kata Container has CopyFile Policy Subversion via Symlinks

説明

Summary

An oversight in the CopyFile policy (and perhaps the CopyFile handler) allows untrusted hosts to write to arbitrary locations inside the guest workload image. This can be used to overwrite binaries inside the guest and exfiltrate data from containers; even those running inside CVMs.

Details

Here is the policy that covers CopyFile requests.

CopyFileRequest if {
    print("CopyFileRequest: input.path =", input.path)

    check_directory_traversal(input.path)

    some regex1 in policy_data.request_defaults.CopyFileRequest
    regex2 := replace(regex1, "$(sfprefix)", policy_data.common.sfprefix)
    regex3 := replace(regex2, "$(cpath)", policy_data.common.cpath)
    regex4 := replace(regex3, "$(bundle-id)", "[a-z0-9]{64}")
    print("CopyFileRequest: regex4 =", regex4)

    regex.match(regex4, input.path)

    print("CopyFileRequest: true")
}

This checks that files are being copied to policy_data.common.cpath, which is typically set to /run/kata-containers/shared/containers. In other words, you're allowed to copy files to anywhere inside the shared dir.

For reference, here is the CopyFile message. Note that none of the other fields are check in the policy.

message CopyFileRequest {
    // Path is the destination file in the guest. It must be absolute,
    // canonical and below /run.
    string path = 1;
    // FileSize is the expected file size, for security reasons write operations
    // are made in a temporary file, once it has the expected size, it's moved
    // to the destination path.
    int64 file_size = 2;
    // FileMode is the file mode.
    uint32 file_mode = 3;
    // DirMode is the mode for the parent directories of destination path.
    uint32 dir_mode = 4;
    // Uid is the numeric user id.
    int32 uid = 5;
    // Gid is the numeric group id.
    int32 gid = 6;
    // Offset for the next write operation.
    int64 offset = 7;
    // Data to write in the destination file.
    bytes data = 8;
}

In addition to copying files directly, the Kata Agent supports creating symlinks via the CopyFile API. In this case the path is the symlink name and the data field contains the symlink target. Given that the policy only checks the path, an attacker can craft a CopyFile request that results in a symlink going from any location into the shared dir.

PoC

The above primitive can be used to to write arbitrary data into container images (pulled in the guest or otherwise). A couple steps are required.

First, identify some target path in the guest image. This could be a binary that will be called by the workload. You could also experiment with overwriting other stuff.

Create a symlink from this binary to the shared dir. The path/link name should be in the shared dir and the data/target should point to the path of the target file inside the container image in the guest fs.

Create a second CopyFile request to copy your data from the host into the symlink you just created in the shared dir. This will then be propagated into the image. You may want to restart the container to ensure that your new binary is invoked.

Impact

Anyone who is using the upstream genpolicy implementation and expects it to prevent host access to container images is vulnerable This includes Confidential Containers workloads where the trust model explicitly forbids this type of access. If you have your own policy implementation you may or may not be vulnerable. If you do not care about protecting the image from the host (e.g. you are using unprotected host pull), you are not vulnerable.

This was individually discovered and reported by

  • @calonso-nv
  • @fikriwahab
  • @kodareef5

基本情報

タイプ
reviewed
深刻度
high
GitHub 上のアドバイザリ
アドバイザリを開く ↗
リポジトリのアドバイザリ
リポジトリのアドバイザリを開く ↗
ソースコード
ソースを見る ↗
公開(アドバイザリ)
2026-05-04 19:32:20 UTC
更新
2026-05-14 20:49:52 UTC
GitHub レビュー済み
2026-05-04 19:32:20 UTC
NVD で公開
2026-04-24

EPSS Score

Score Percentile
0.04% 12.24%

CVSS Scores

Base score Version Severity Vector
8.2 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N クリックして展開
攻撃ベクター (AV:N)
インターネットなど、ルーティングされたネットワーク越しに遠隔から悪用しうる。端末の前にいる必要はない。
攻撃の複雑さ (AC:L)
攻撃者が条件を満たせば、レース条件や珍しい構成に依存せずに再現しやすい。
必要な権限 (PR:N)
事前のログインや昇格は不要で、匿名アクセスのまま踏み台にしうる。
ユーザーの関与 (UI:N)
メールのリンクを開く、マクロを有効にするなど、被害者の協力がなくても成立しうる。
スコープ (S:U)
影響は脆弱コンポーネントと同一のセキュリティ権限・信頼境界の内側に収まる。
機密性への影響 (C:H)
広範な機微データの読み取りや持ち出しが現実的。
完全性への影響 (I:L)
レコードの一部書き換えや設定の歪みなど、限定的だが検知・復旧が必要な水準。
可用性への影響 (A:N)
業務継続に支障が出るレベルの停止や劣化は想定されない。
8.2 4.0
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:N/SA:N クリックして展開
攻撃ベクター (AV:L)
対象ホスト上でコードを走らせる、またはローカル権限が前提。
攻撃の複雑さ (AC:L)
手順が短く、再現性が高い。
攻撃要件 (AT:N)
到達性以外に、追加のインフラ条件やデータ前提は要らない。
必要な権限 (PR:N)
昇格やログインなしで踏み台にしうる。
ユーザーの関与 (UI:N)
被害者の操作なしでも攻撃が完結しうる。
脆弱システムの機密性への影響 (VC:N)
脆弱な対象から機微情報が読まれうる余地はほとんどない。
脆弱システムの完全性への影響 (VI:H)
監査ログの改竄や広範なデータ偽装など、信頼根拠を崩す水準。
脆弱システムの可用性への影響 (VA:N)
業務を止めるほどの停止や劣化は想定しにくい。
後続システムの機密性への影響 (SC:H)
下流に広がる機微情報の窃取や長期滞留が現実的。
後続システムの完全性への影響 (SI:N)
下流の記録や設定が歪められる局面はほとんど想定されない。
後続システムの可用性への影響 (SA:N)
下流サービスが止まるほどの影響は想定しにくい。

Identifiers

CWEs

CWE id Name
CWE-61 UNIX Symbolic Link (Symlink) Following

Credits

  • fitzthum (reporter)
  • calonso-nv (finder)
  • fikriwahab (finder)
  • burgerdev (remediation_developer)
  • danmihai1 (remediation_reviewer)
  • jojimt (remediation_reviewer)
  • fidencio (remediation_reviewer)
  • kodareef5 (finder)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
go github.com/kata-containers/kata-containers < 0.0.0-20260422180503-1b9e49eb2763 0.0.0-20260422180503-1b9e49eb2763

References

cvelogic Threat Intelligence