Skip to content
Threat Feed
high advisory

Contrast CLI CopyFile Policy Subversion via Symlinks Allows Guest Root Filesystem Writes

A vulnerability in the CopyFile verification of Kata agent policies generated by the Contrast CLI allows arbitrary writes to the guest root filesystem, potentially leading to a full guest takeover.

A vulnerability exists in the Kata agent policies generated by the Contrast CLI (versions prior to v1.19.1). Specifically, the CopyFile verification process is flawed, enabling a malicious host process to write arbitrary data to the guest root filesystem. This attack vector leverages the Kata agent’s VSOCK interface, allowing a compromised host to connect to the agent and issue malicious CopyFile requests. The successful exploitation can overwrite critical security files or deceive the workload into divulging sensitive data. This flaw has a high impact, potentially resulting in a complete guest takeover. The issue was patched in Contrast v1.19.1.

Attack Chain

  1. A malicious process gains the capability to connect to the Kata agent VSOCK.
  2. The malicious process connects to the Kata agent via VSOCK.
  3. The attacker crafts a series of CopyFile requests.
  4. These CopyFile requests are designed to exploit the vulnerability in the Contrast CLI-generated Kata agent policies.
  5. The attacker uses the CopyFile requests to create symlinks pointing to sensitive or critical system files.
  6. The attacker then uses CopyFile requests to write arbitrary data to the targeted files via the created symlinks.
  7. Security-critical files within the guest root filesystem are overwritten or modified by the attacker.
  8. The compromised system facilitates a full guest takeover, potentially enabling further malicious activities within the containerized environment.

Impact

Successful exploitation allows a malicious host process to gain full control over the guest container. This can lead to data exfiltration, denial of service, or further lateral movement within the infrastructure. While the exact number of affected systems is not specified, any environment relying on affected Contrast CLI versions to generate Kata agent policies is potentially at risk. The impact is a full guest takeover.

Recommendation

  • Upgrade Contrast CLI to version v1.19.1 or later to remediate the vulnerability.
  • If upgrading is not immediately possible, implement the policy-only fix described in the provided resources, specifically the rego fix, and pass it to contrast generate --policy.
  • Monitor network connections to the Kata agent VSOCK for unusual or unauthorized activity, especially originating from untrusted processes.
  • Implement host-based intrusion detection systems (HIDS) to detect unauthorized file modifications within the guest root filesystem.

Detection coverage 2

Detect Contrast CLI Policy Generation with Vulnerable Versions

medium

Detects usage of the Contrast CLI binary to generate policies with versions prior to 1.19.1.

sigma tactics: privilege_escalation sources: process_creation, linux

Detect VSOCK Connection to Kata Agent from Unrecognized Process

high

Detects a connection to the Kata agent VSOCK from a process not in a known good list.

sigma tactics: persistence, privilege_escalation sources: network_connection, linux

Detection queries are kept inside the platform. Get full rules →