CVE-2021-33638 : Security Advisory and Response

A detailed overview of CVE-2021-33638, including its impact, technical details, and mitigation strategies.

Understanding CVE-2021-33638

CVE-2021-33638 relates to a vulnerability in the iSulad container when the "isula cp" command is used to copy files from a container to a host machine.

What is CVE-2021-33638?

When an attacker controls the container from which files are being copied using the "isula cp" command, they can escape the container, potentially leading to unauthorized access and security breaches.

The Impact of CVE-2021-33638

The impact of this vulnerability is classified under CAPEC-480, which refers to escaping virtualization. It poses a high risk, with a CVSS v3.1 base score of 8.4 (High severity).

Technical Details of CVE-2021-33638

The vulnerability is associated with improper initialization (CWE-665) and affects versions of iSulad up to 2.0.8-20210518.144540.git5288ed93, 2.0.18-10, and 2.1.2.

Vulnerability Description

When an attacker manipulates the container through the "isula cp" command, they can exploit this flaw to escape the container.

Affected Systems and Versions

The vulnerability impacts iSulad versions up to 2.1.2, including specific point releases.

Exploitation Mechanism

By controlling the container during the file copy process, an attacker can gain unauthorized access to the host system.

Mitigation and Prevention

Protecting systems from CVE-2021-33638 involves immediate steps and long-term security practices.

Immediate Steps to Take

Update iSulad to a patched version that addresses this vulnerability.
Restrict access to potentially malicious containers.

Long-Term Security Practices

Regularly update and patch container software.
Implement least-privilege access policies for containers.

Patching and Updates

Refer to official sources for patches and updates to mitigate the risk of exploitation.