We performed a security assessment of Cloud Native Buildpacks to help improve it, in collaboration with Open Source Technology Improvement Fund, Inc .
Introduction
The Cloud Native Buildpacks (also known as CNB) project was initiated by Pivotal and Heroku in January 2018 and joined the Cloud Native Computing Foundation (a.k.a. CNCF) in October 2018. The project aims to unify the buildpack ecosystems with a platform-to-buildpack contract that is well-defined and that incorporates learnings from maintaining production-grade buildpacks for years at both Pivotal and Heroku. Cloud Native Buildpacks provides a framework and a runtime support for applications to be examined, configured and built appropriately in order to run on any cloud platform. The full report of our security assessment can be found on the OSTIF website. Following the audit, all important findings have been taken into account by the Cloud Native Buildpacks team.
Scope
The scope of the audit was focused on the lifecycle and the pack components. At the time of the assessment, both of them were publicly available on the Cloud Native Buildapcks GitHub repository. Quarkslab's auditors created a formal threat model in order to define an attack surface and identify threat actors with respect to the features and software architecture of the project. This model was used to enumerate the project's critical functionalities and well as to methodically conduct the security assessment and identify vulnerabilities.
Findings
The table below summarizes the findings of the audit. A total of eight vulnerabilities were found, of which two had high severity, two had medium severity and four had low severity.
| ID | Title | Severity | Perimeter |
|---|---|---|---|
| HIGH-1 | Host compromise by overwriting trusted container images | High | Build Process |
| HIGH-2 | Cache poisoning by accessing other applications caches | High | Build Process |
| MED-1 | Docker in-container privilege escalation | Medium | Build Process |
| MED-2 | Docker permissive inter-container connectivity | Medium | Build Process |
| LOW-1 | Denial-of-Service (DoS) provoked by a race condition | Low | Build Process |
| LOW-2 | Denial-of-Service (DoS) provoked by removing build cache tarballs or altering the OCI image manifest | Low | Build Process |
| LOW-3 | Denial-of-Service (DoS) provoked by an unbound execution time | Low | Build Process |
| LOW-4 | Data leak by accessing other applications caches | Low | Build Process |
| INFO-1 | Specification violation using Docker and user namespaces | Info | Build Process |
| INFO-2 | Excessive Docker container capabilities | Info | Build Process |
Conclusion
Quarkslab found several vulnerabilities during this security assessment. Most of these issues were found to be dangerous in the context of Continuous Integration (CI) and Continuous Delivery (CD) where the CNB tool can be shared between several users and projects. Quarkslab acknowledges the substantial security efforts invested by the CNB developers. Additionally, Quarkslab offered insights and strategies to address vulnerabilities, aiming to enhance the robustness and security of this open-source tool for the future. Overall, working with the Cloud Native Buildpacks team was a true pleasure. They were highly attentive to Quarkslab's remediation proposal and committed to enhancing the project's security.