CVE-2024-25621

#!/bin/bash # CVE-2024-25621 PoC - containerd Permission Vulnerability # Check if containerd directories have overly permissive permissions echo "[*] Checking containerd directory permissions..." echo "[*] Target: CVE-2024-25621 - containerd Default Permission Vulnerability" echo "" # Affected paths PATHS=("/var/lib/containerd" "/run/containerd/io.containerd.grpc.v1.cri" "/run/containerd/io.containerd.sandbox.controller.v1.shim") VULNERABLE=false for path in "${PATHS[@]}"; do if [ -d "$path" ]; then echo "[+] Found directory: $path" perms=$(stat -c '%a' "$path" 2>/dev/null) echo " Permissions: $perms" # Check if group or others have write permission group_write=$(echo "$perms" | cut -c2) other_write=$(echo "$perms" | cut -c3) if [ "$group_write" -ge 2 ] || [ "$other_write" -ge 2 ]; then echo " [!] VULNERABLE: Group or others have write access" VULNERABLE=true elif [ "$group_write" -ge 4 ] || [ "$other_write" -ge 4 ]; then echo " [!] WARNING: Group or others have read access" fi # Check ownership and list contents owner=$(stat -c '%U:%G' "$path" 2>/dev/null) echo " Owner: $owner" echo " Contents:" ls -la "$path" 2>/dev/null | head -10 echo "" else echo "[-] Directory not found: $path" fi done if [ "$VULNERABLE" = true ]; then echo "[CRITICAL] System is VULNERABLE to CVE-2024-25621" echo "[*] Recommendation: Upgrade containerd to version 1.7.29, 2.0.7, 2.1.5, or 2.2.0+" echo "[*] Workaround: chmod 700 or 750 on affected directories" else echo "[+] System appears to be NOT vulnerable" fi echo "" echo "[*] Checking containerd version..." containerd --version 2>/dev/null || echo "containerd not found in PATH"

{"cve": {"id": "CVE-2024-25621", "sourceIdentifier": "[email protected]", "published": "2025-11-06T19:15:40.090", "lastModified": "2025-12-31T02:29:30.480", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "containerd is an open-source container runtime. Versions 0.1.0 through 1.7.28, 2.0.0-beta.0 through 2.0.6, 2.1.0-beta.0 through 2.1.4 and 2.2.0-beta.0 through 2.2.0-rc.1 have an overly broad default permission vulnerability. Directory paths `/var/lib/containerd`, `/run/containerd/io.containerd.grpc.v1.cri` and `/run/containerd/io.containerd.sandbox.controller.v1.shim` were all created with incorrect permissions. This issue is fixed in versions 1.7.29, 2.0.7, 2.1.5 and 2.2.0. Workarounds include updating system administrator permissions so the host can manually chmod the directories to not have group or world accessible permissions, or to run containerd in rootless mode."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.3, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-279"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "versionEndExcluding": "1.7.29", "matchCriteriaId": "DD786582-F4AE-41DD-B61F-BD8AF4FC1A04"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.0.0", "versionEndExcluding": "2.0.7", "matchCriteriaId": "07087EDC-9E6A-45D1-B6D2-E7F4016CD46E"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.1.0", "versionEndExcluding": "2.1.5", "matchCriteriaId": "9E760B42-E25C-4780-85AE-D003D6425700"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta0:*:*:*:*:*:*", "matchCriteriaId": "EEF71FE5-2286-4D94-82DD-7509CE85F1F6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta1:*:*:*:*:*:*", "matchCriteriaId": "3290FD7B-0A16-4968-9800-78B947EF213D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:beta2:*:*:*:*:*:*", "matchCriteriaId": "E4352A29-4DFC-4EBE-BE0E-97DEB76E5A30"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc0:*:*:*:*:*:*", "matchCriteriaId": "57685264-6950-4CB9-ACBE-6944EB3B2C1C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:linuxfoundation:containerd:2.2.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "4D640701-1D0B-41B7-83B0-79592902E6AC"}]}]}], "references": [{"url": "https://github.com/containerd/containerd/blob/main/docs/rootless.md", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/containerd/containerd/commit/7c59e8e9e970d38061a77b586b23655c352bfec5", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/containerd/containerd/security/advisories/GHSA-pwhc-rpq9-4c8w", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}]}}