CVE-2024-24557 is a medium-severity vulnerability affecting the Moby project, an open-source containerization platform developed by Docker. The vulnerability arises from an origin validation error in Moby's classic builder cache system, specifically when building container images FROM scratch. The core issue is cache poisoning: an attacker who knows the Dockerfile used in a build can craft a malicious image that the builder cache mistakenly accepts as a valid cache candidate for certain build steps. This occurs because changes to some Dockerfile instructions, notably HEALTHCHECK and ONBUILD, do not trigger a cache miss, allowing stale or malicious cache entries to be reused. The vulnerability affects all Moby versions prior to 24.0.9 and versions between 25.0.0 and 25.0.2. Users running version 23.0 or later are only vulnerable if they have explicitly disabled BuildKit (by setting DOCKER_BUILDKIT=0) or are using the legacy /build API endpoint or the ImageBuild function from the Docker client library, which defaults to the classic builder. The BuildKit builder, which is the default in newer versions, is not affected. Exploiting this vulnerability requires local access or the ability to influence the image build process, as the CVSS vector indicates local attack vector with high attack complexity, no privileges required, but user interaction is necessary. The impact includes potential integrity compromise of container images, as poisoned cache entries could lead to execution of malicious code within containers. Confidentiality impact is low, but integrity is high, and availability impact is low. No known exploits are currently reported in the wild. Patches addressing this issue are included in Moby releases 24.0.9 and 25.0.2.

For European organizations, this vulnerability poses a significant risk to the integrity of containerized applications, especially in environments where container images are built frequently and from scratch. Poisoned caches could lead to deployment of compromised containers, potentially allowing attackers to execute arbitrary code within the container environment. This could lead to lateral movement within internal networks, data tampering, or disruption of services. Organizations relying on older Moby versions or those that have disabled BuildKit for compatibility reasons are particularly at risk. Given the widespread adoption of Docker and Moby in European enterprises, especially in sectors like finance, manufacturing, and critical infrastructure, the threat could impact supply chain security and operational continuity. The requirement for user interaction and local access somewhat limits remote exploitation, but insider threats or compromised developer environments could be vectors. The medium severity rating reflects the balance between impact and exploitation complexity, but the potential for integrity breaches in production environments makes it a concern for security teams.

European organizations should take the following specific actions: 1) Upgrade Moby installations to version 24.0.9 or later, or 25.0.2 or later, to ensure patches are applied. 2) Avoid disabling BuildKit unless absolutely necessary; if BuildKit must be disabled, implement strict access controls around the build environment and the /build API endpoint. 3) Audit and monitor usage of the ImageBuild function from the Docker client library to detect legacy builder usage. 4) Implement strict validation and scanning of container images before deployment, including verifying image provenance and integrity. 5) Educate developers and DevOps teams about the risks of cache poisoning and encourage secure Dockerfile practices, such as minimizing use of instructions that do not trigger cache misses. 6) Employ runtime security tools to detect anomalous container behavior that could indicate exploitation. 7) Restrict build environment access to trusted personnel and systems to reduce the risk of malicious cache poisoning attempts. 8) Integrate container build processes with CI/CD pipelines that enforce security checks and use BuildKit by default.