Comment by 6LLvveMx2koXfwn

5 days ago

Having read the CVE multiple times I am still unsure how 2. above happens? Is it possible through the malicious chart itself or is it a dependency for the CVE to be in play at all? And if the latter - what local process would write a symlink from a helm lock file to any kind of system start up script which doesn't point to a much bigger problem than this CVE?

6 comments

6LLvveMx2koXfwn

Reply
mfer  5 days ago

The attacker creates a symlink (e.g., using `ln -s`) to another file. The attacker needs to create the malicious Chart.yaml file and symlink that the Chart.lock file points to.

  • arp242  5 days ago

    If being able to create files and symlinks to them is a pre-condition for this, then it's not a serious security bug. If you have that kind of access then there are a million nefarious things you can do.

    This is almost becoming a joke at this point, "assuming an attacker has access to the system, they can change things on the system".

    • empath75  5 days ago

      Helm is not intended to be able to write files outside of the directory you are rendering the templates to, and the directory that you have downloaded the chart to, so if there is a way to do that, it is a bug in the program and a security bug at that, particularly when the destination is controlled by someone who has written a malicious chart. That it also happens to be able to run arbitrary code makes it worse, but the primary problem is that it can write files outside of the chart directory or the directory you are rendering to at all.

      This has nothing to do with whether you are running it in sudo or whatever. (and in fact on MacOs, I don't believe this requires running it with sudo permissions to overwrite ~/.zshrc for example)

    • yokaze  5 days ago

      I create a malicious chart or compromise one you use (with symlink to an arbitrary file and code).

      You download charts either as a tarball from a helm repo or oci registry with helm and helm will create the files and links with your permissions, and send me whatever I wanted to extract from your system.

      Yes, you should check things you download from the internet. But also, that is not how a chart is supposed to work.

      1 reply →

    • stonemetal12  5 days ago

      It is on the level of "sudo curl URL". It is an obviously stupid thing to do from a security perspective, but projects have suggested doing it to install their software.

      If you are new to helm or haven't considered the security around it, it is good to know what to look out for.