CVE-2024-25621
Overly Broad Default Permission vulnerability in containerd (Go)

Overly Broad Default Permission No known exploit Fixable By Resolved Security

What is CVE-2024-25621 About?

This vulnerability is an overly broad default permission issue in containerd that allows local users to access sensitive data and potentially escalate privileges. Its impact includes unauthorized access to metadata, content stores, and Kubernetes volume contents, which could contain setuid binaries. Exploitation is relatively easy as it primarily requires local user access to the host.

Affected Software

  • github.com/containerd/containerd
    • <1.7.29
  • github.com/containerd/containerd/v2
    • <2.0.7
    • >2.2.0-beta.0, <2.2.0
    • >2.1.0-beta.0, <2.1.5

Technical Details

The vulnerability arises because containerd creates several critical directories with overly permissive default permissions (e.g., 0o711 or 0o755 instead of the more restrictive 0o700). Specifically, /var/lib/containerd was created as 0o711, potentially allowing local users to access the containerd metadata and content stores. Similarly, /run/containerd/io.containerd.grpc.v1.cri was created as 0o755, enabling local users to access the contents of Kubernetes local volumes, which might contain setuid binaries and facilitate privilege escalation. The directory /run/containerd/io.containerd.sandbox.controller.v1.shim was also affected with 0o711 permissions. If a temp directory path is specified in the daemon configuration, it too was created with 0o711, all of which grant broader access than intended to local users. These incorrect permissions expose sensitive data and potential privilege escalation vectors to any local user on the host.

What is the Impact of CVE-2024-25621?

Successful exploitation may allow attackers to gain unauthorized access to sensitive application data, metadata, and potentially escalate privileges on the host system.

What is the Exploitability of CVE-2024-25621?

Exploitation of this vulnerability is considered low to medium complexity, as it primarily relies on local system access and misconfigured permissions. It requires a local user account on the host system where containerd is running, meaning authentication as a local user is necessary. No special privileges are inherently required beyond standard local user access, as the vulnerability itself stems from misconfigured default permissions accessible to non-privileged users. The attack is local, as it exploits directory permissions on the host filesystem. Risk factors that increase exploitation likelihood include environments where multiple users share access to the same host, or where containerized environments are directly accessible by local host users, allowing them to probe for and leverage these overly broad permissions.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2024-25621?

A Fix by Resolved Security Exists!
Fix open-source vulnerabilities without upgrading your dependencies.

About the Fix from Resolved Security

None

Available Upgrade Options

  • github.com/containerd/containerd
    • <1.7.29 → Upgrade to 1.7.29
  • github.com/containerd/containerd/v2
    • <2.0.7 → Upgrade to 2.0.7
  • github.com/containerd/containerd/v2
    • >2.1.0-beta.0, <2.1.5 → Upgrade to 2.1.5
  • github.com/containerd/containerd/v2
    • >2.2.0-beta.0, <2.2.0 → Upgrade to 2.2.0

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2024-25621?

Similar Vulnerabilities: CVE-2023-38038 , CVE-2022-24765 , CVE-2020-15157 , CVE-2019-14271 , CVE-2017-1002101

All Rights reserved 2025
Privacy Policy