CVE-2024-9407 is a vulnerability found in Docker's implementation of the RUN --mount instruction, specifically related to the bind-propagation option. This option does not properly validate input parameters, allowing an attacker with sufficient privileges to pass arbitrary mount parameters during the container image build process. This improper input validation can be exploited to mount sensitive directories from the host system into the container. Once mounted, the attacker can potentially read and modify the contents of these host directories and files. Notably, even when SELinux is enabled to enforce mandatory access controls, this vulnerability can bypass those protections by relabeling the source directory, granting the container access to host files that should otherwise be restricted. The vulnerability requires the attacker to have high privileges on the host system (e.g., root or equivalent) and local access to the Docker build environment. No user interaction is needed to exploit this issue. The CVSS 3.1 base score is 4.7 (medium severity), reflecting the local attack vector, high complexity, and requirement for privileges, but with high impact on confidentiality and limited impact on integrity and availability. There are no known exploits in the wild at the time of publication, and no patches or mitigations have been officially released yet. This vulnerability highlights the risks of improper input validation in container build instructions and the potential for privilege escalation or host compromise through container build processes.

The primary impact of CVE-2024-9407 is unauthorized access to sensitive host files and potential modification of those files during the Docker image build process. This can lead to confidentiality breaches where sensitive data such as credentials, configuration files, or proprietary information is exposed to containerized environments. Modification of host files could result in integrity violations, potentially allowing attackers to alter system configurations or implant malicious code. The ability to bypass SELinux protections further increases the risk by undermining a key security control designed to isolate containers from the host. Organizations relying heavily on Docker for building container images, especially in multi-tenant or shared environments, face increased risk of insider threats or compromised build pipelines. Although exploitation requires high privileges and local access, the vulnerability could be leveraged by attackers who have already gained partial access to escalate their control or move laterally. This could impact cloud providers, enterprises with DevOps pipelines, and development environments worldwide. The lack of known exploits suggests limited immediate threat, but the potential for serious data breaches or system compromise remains significant if exploited.

To mitigate CVE-2024-9407, organizations should immediately review and restrict access to Docker build environments, ensuring only trusted users have high privileges required to exploit this vulnerability. Implement strict access controls and auditing on build servers and hosts running Docker. Avoid using untrusted or external Dockerfiles that could exploit the RUN --mount bind-propagation option. Until patches are available, consider disabling or limiting the use of the RUN --mount instruction with bind-propagation in Dockerfiles. Employ container build isolation techniques such as dedicated build hosts or sandboxed environments to reduce risk. Monitor file system access and SELinux logs for unusual relabeling or mount activities. Regularly update Docker to the latest versions once a patch is released to address this vulnerability. Additionally, educate developers and DevOps teams about the risks of improper mount options and enforce secure coding and build practices. Consider using alternative container build tools or methods that do not expose this vulnerability if immediate patching is not possible.