CVE-2024-8676: Cri-o: checkpoint restore can be triggered from different namespaces

Description

A vulnerability was found in CRI-O, where it can be requested to take a checkpoint archive of a container and later be asked to restore it. When it does that restoration, it attempts to restore the mounts from the restore archive instead of the pod request. As a result, the validations run on the pod spec, verifying that the pod has access to the mounts it specifies are not applicable to a restored container. This flaw allows a malicious user to trick CRI-O into restoring a pod that doesn't have access to host mounts. The user needs access to the kubelet or cri-o socket to call the restore endpoint and trigger the restore.

Classification

CVE ID: CVE-2024-8676

Affected Products

Vendor: Red Hat

Product: Red Hat Enterprise Linux 8

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.05% (probability of being exploited)

EPSS Percentile: 17.81% (scored less or equal to compared to others)

EPSS Date: 2025-02-03 (when was this score calculated)

Timeline

2024-11-27 14:42:10 UTC
CVE

Cri-o: checkpoint restore can be triggered from different namespaces
2025-03-06 09:45:38 UTC
Tenable Plugins

Linux Distros Unpatched Vulnerability : CVE-2024-8676