<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Buildkit - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/buildkit/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Thu, 25 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/buildkit/feed.xml" rel="self" type="application/rss+xml"/><item><title>BuildKit Git URL Subdir Traversal Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-buildkit-git-url-vuln/</link><pubDate>Thu, 25 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-buildkit-git-url-vuln/</guid><description>A vulnerability in BuildKit (fixed in v0.28.1) allows for potential file access outside the Git repository root due to insufficient validation of Git URL fragment subdirectories, potentially leading to privilege escalation.</description><content:encoded><![CDATA[<p>A vulnerability exists in BuildKit, a toolkit for converting source code to build artifacts, specifically in how it handles Git URLs with subpath components. This flaw, identified as CVE-2026-33748, stems from insufficient validation of the subdir component within Git URLs (e.g., <code>&lt;url&gt;#&lt;ref&gt;:&lt;subdir&gt;</code>).  An attacker can exploit this by crafting a malicious Git repository with a carefully constructed subpath that points to a symbolic link or other mechanism to access files outside of the intended Git repository root. This could lead to unauthorized access to sensitive files within the same mounted filesystem. The vulnerability affects BuildKit versions prior to v0.28.1. Defenders should prioritize updating BuildKit installations and carefully scrutinize the sources of Dockerfiles used in their build processes.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker creates a malicious Git repository containing a symbolic link within the repository.</li>
<li>The symbolic link is crafted to point outside the repository root to a sensitive file or directory on the same filesystem.</li>
<li>The attacker crafts a Dockerfile that uses a Git URL with a subpath component, pointing to the malicious repository and specifying the symbolic link as the subdirectory.</li>
<li>A BuildKit build process is initiated, using the attacker-controlled Dockerfile.</li>
<li>BuildKit fetches the Git repository.</li>
<li>Due to insufficient validation, BuildKit follows the symbolic link specified in the subpath.</li>
<li>BuildKit accesses the file or directory outside the Git repository root, as targeted by the symbolic link.</li>
<li>The attacker gains unauthorized access to sensitive files or configurations, potentially leading to privilege escalation within the build environment.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33748 can allow attackers to read arbitrary files within the same filesystem as the BuildKit process, potentially exposing sensitive information like credentials, configuration files, or source code. While the scope is limited to the same mounted filesystem, this can still provide a significant stepping stone for further attacks. The number of affected systems is potentially large, as BuildKit is a widely used component in container build processes.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade BuildKit installations to version v0.28.1 or later to patch CVE-2026-33748.</li>
<li>Implement checks to validate the source of Dockerfiles and Git repositories used in build processes. Specifically, review Git URLs for unexpected or suspicious subpath components.</li>
<li>Monitor process creation events for <code>buildkitd</code> processes accessing files outside the expected Git repository directories. Use the provided Sigma rule to detect suspicious file access.</li>
<li>Where possible, avoid using Git URLs with subpath components from untrusted sources, as recommended in the advisory.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>buildkit</category><category>git</category><category>directory-traversal</category><category>privilege-escalation</category></item><item><title>BuildKit Malicious Frontend File Escape Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-buildkit-file-escape/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-buildkit-file-escape/</guid><description>A malicious BuildKit frontend can craft API messages that write files outside the BuildKit state directory, leading to file escape, fixed in v0.28.1+ and requires using an untrusted frontend with `#syntax` or `--build-arg BUILDKIT_SYNTAX`.</description><content:encoded><![CDATA[<p>CVE-2026-33747 describes a file escape vulnerability in BuildKit versions prior to v0.28.1. The vulnerability stems from a malicious BuildKit frontend's ability to craft API messages that cause files to be written outside of the designated BuildKit state directory for the execution context. This issue arises when using a custom, untrusted BuildKit frontend set via either the <code>#syntax</code> directive within a Dockerfile or through the <code>--build-arg BUILDKIT_SYNTAX</code> build argument. Exploitation requires the use of an untrusted frontend, and well-known frontends like <code>docker/dockerfile</code> are not affected. Successful exploitation allows an attacker to write arbitrary files to the host system, potentially leading to privilege escalation or code execution. Defenders should ensure BuildKit is updated to v0.28.1 or later and exercise caution when using custom frontends.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker crafts a malicious BuildKit frontend.</li>
<li>The victim builds an image using BuildKit, specifying the malicious frontend via <code>#syntax</code> in the Dockerfile or <code>--build-arg BUILDKIT_SYNTAX</code>.</li>
<li>BuildKit initiates the build process, handing control to the malicious frontend.</li>
<li>The malicious frontend crafts a specific API message designed to exploit the file escape vulnerability.</li>
<li>BuildKit processes the crafted API message without proper validation of file paths.</li>
<li>The malicious frontend instructs BuildKit to write a file to a location outside of the BuildKit state directory.</li>
<li>BuildKit, lacking sufficient path sanitization, writes the file to the attacker-controlled path on the host system.</li>
<li>The attacker achieves arbitrary file write, potentially leading to code execution or privilege escalation.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-33747 allows an attacker to write arbitrary files on the host system where BuildKit is running. This can lead to a variety of consequences, including privilege escalation by overwriting system binaries, arbitrary code execution by placing malicious executables in startup directories, or data exfiltration by accessing sensitive files. The severity is high because it breaks container isolation and allows for host compromise. The number of potential victims is dependent on the adoption of BuildKit and the use of custom frontends.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade BuildKit to version v0.28.1 or later to patch CVE-2026-33747.</li>
<li>Exercise extreme caution when using custom BuildKit frontends. Avoid using untrusted frontends specified via <code>#syntax</code> or <code>--build-arg BUILDKIT_SYNTAX</code>.</li>
<li>Implement the provided Sigma rule <code>Detect Suspicious BuildKit Frontend Usage</code> to detect the usage of custom frontends.</li>
<li>Implement the provided Sigma rule <code>Detect BuildKit File Creation Outside State Directory</code> to detect file creation events.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>buildkit</category><category>file-escape</category><category>privilege-escalation</category><category>cve-2026-33747</category></item></channel></rss>