cbcvebase.
CVE-2024-23653
published 2024-01-31

CVE-2024-23653: BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as…

PriorityP259critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
2.98%
85.6th percentile
BuildKit is a toolkit for converting source code to build artifacts in an efficient, expressive and repeatable manner. In addition to running containers as build steps, BuildKit also provides APIs for running interactive containers based on built images. It was possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.

Affected

23 ranges
VendorProductVersion rangeFixed in
github.commoby_buildkit>= 0 < 0.12.50.12.5
mobybuildkit< 0.12.50.12.5
mobyprojectbuildkit< 0.12.50.12.5
msrcazl3_docker-buildx_0.12.1-1_on_azure_linux_3.0
msrcazl3_docker-buildx_0.14.0-1_on_azure_linux_3.0
msrcazl3_docker-compose_2.24.6-2_on_azure_linux_3.0
msrcazl3_docker-compose_2.27.0-1_on_azure_linux_3.0
msrcazl3_moby-engine_20.10.25-3_on_azure_linux_3.0
msrcazl3_moby-engine_25.0.3-1_on_azure_linux_3.0
msrcazure_linux_3.0_arm
msrcazure_linux_3.0_x64
msrccbl2_moby-buildx_0.7.1-18_on_cbl_mariner_2.0
msrccbl2_moby-buildx_0.7.1-24_on_cbl_mariner_2.0
msrccbl2_moby-cli_20.10.27-3_on_cbl_mariner_2.0
msrccbl2_moby-cli_20.10.27-5_on_cbl_mariner_2.0
msrccbl2_moby-compose_2.17.2-7_on_cbl_mariner_2.0
msrccbl2_moby-compose_2.17.3-10_on_cbl_mariner_2.0
msrccbl2_moby-engine_20.10.27-3_on_cbl_mariner_2.0
msrccbl2_moby-engine_24.0.9-16_on_cbl_mariner_2.0
msrccbl_mariner_2.0_arm
msrccbl_mariner_2.0_x64
paloaltocortex_xsoar
paloaltoprisma_cloud

Detection & IOCsextracted from sources · hover to see the quote

urlhttps://snyk.io/blog/cve-2024-23653-buildkit-grpc-securitymode-privilege-check/
urlhttps://github.com/moby/buildkit/security/advisories/GHSA-wr6v-9f75-vh2g
urlhttps://github.com/moby/buildkit/pull/4602
  • CVE-2024-23653 is exploitable via a missing privilege check in a GRPC endpoint when called using a custom syntax format — monitor for unexpected GRPC calls to BuildKit's interactive containers API that request elevated/insecure entitlements without the security.insecure entitlement being explicitly enabled.
  • Exploitation requires a malicious Dockerfile or upstream image (e.g., a malicious FROM image) — alert on container image builds that use untrusted or externally sourced BuildKit frontends or base images.
  • The vulnerability affects Docker BuildKit <= v0.12.4 — detect vulnerable versions of buildkitd/moby-buildkit in the environment and flag any instance not yet patched to v0.12.5.
  • Privilege escalation via BuildKit interactive containers API: watch for containers spawned during a build step that acquire full Linux capabilities or host root execution, which is the post-exploitation indicator for this CVE.
  • CVE-2024-23653 arises from inadequate privilege checks in BuildKit's GRPC interface — monitor buildkitd GRPC traffic for requests invoking interactive container APIs with SecurityMode set to privileged/insecure without a corresponding entitlement grant.
  • ·Exploitation requires the attacker to trick a user or process into processing a malicious BuildKit frontend — the vulnerability is NOT exploitable by arbitrary code execution in a running container alone; the image, Dockerfile, or BuildKit frontend must be specially crafted.
  • ·The security.insecure entitlement must NOT be enabled in buildkitd configuration as a hardening measure; if it is already enabled by policy, the normal guard against this attack is absent.
  • ·Risk is primarily to container build systems, not arbitrary running containers — prioritize patching build pipeline runners and CI/CD hosts over general-purpose container hosts.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
osv9.8CRITICAL
vendor_msrc9.8CRITICAL
vendor_redhat9.8CRITICAL
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.