GHSA-RH99-WC69-C255: CopyFile Policy Subversion via Symlinks in Edgeless Systems Contrast

GHSA-RH99-WC69-C255 is a high-severity vulnerability within the Edgeless Systems Contrast CLI. Contrast is a specialized tool utilized for deploying and managing confidential containers within Kubernetes environments. The vulnerability affects the policy generation mechanism responsible for configuring the Kata Containers agent.

The core issue resides in the subversion of the CopyFile policy through improper handling of symbolic links. The generated policies fail to enforce strict path resolution during file operations. This failure permits an attacker to bypass intended directory restrictions.

The impact of this vulnerability is a direct compromise of the Trusted Execution Environment (TEE) isolation. Attackers can leverage this flaw to exfiltrate sensitive data from the host or protected Confidential Virtual Machine (CVM) partitions. The vulnerability necessitates immediate remediation through CLI upgrades and policy regeneration.

The vulnerability exists in the policy generation module of the Contrast CLI. Contrast produces security policies that dictate the permissible operations for the Kata Containers agent running inside a CVM. Among these operations is CopyFile, which controls file transfers within the environment.

The implementation fails to adequately restrict or resolve symbolic links during the validation phase of the CopyFile operation. When the Kata agent enforces the generated policy, it evaluates the file path provided by the requester against the allowed path patterns.

Because the generated policy lacks explicit directives to reject or safely resolve symlinks, an attacker can exploit a Time-of-Check Time-of-Use (TOCTOU) condition (CWE-59). The agent verifies the permissions of the symlink object itself, but the subsequent system call executes the copy operation on the underlying target file.

The vulnerable logic in versions prior to v1.19.1 generates a policy configuration that implicitly allows symlink resolution during file operations. The policy enforcement relies on standard path matching without requiring absolute path resolution prior to the operation.

In a vulnerable configuration, the Kata agent receives a policy that permits CopyFile operations within a specific directory scope (e.g., /allowed/directory/*). The policy engine does not include a mechanism to distinguish between standard files and symbolic links pointing outside this scope.

The fix introduced in version 1.19.1 modifies the policy generation logic. The patched CLI now generates policies with stricter path constraints, instructing the Kata agent to either validate the absolute, resolved path of the target file or to reject symlinks entirely for the CopyFile operation.

> [!NOTE] > Upgrading the CLI alone does not fix running containers. The vulnerability resides in the generated policy artifact, meaning existing policies must be explicitly regenerated using the patched CLI version to mitigate the flaw.

Exploitation requires an attacker to have established a presence within the confidential container environment with sufficient privileges to create symbolic links. The attacker provisions a symlink within an allowed directory structure that points to an unauthorized, sensitive file located elsewhere on the filesystem.

Upon triggering the CopyFile operation through the Kata agent API, the agent reads the generated policy. The agent validates the path to the attacker-created symlink. Because the symlink is located within a permitted directory, the validation check passes.

During the execution phase, the agent's underlying file system call traverses the symlink. The operation succeeds, copying the sensitive target file instead of the symlink object itself. This mechanism allows the attacker to project the contents of restricted files into an accessible location.

In a confidential computing environment, security relies entirely on the integrity of the policies enforced by the agent. Subverting the CopyFile policy breaches the isolation boundary that separates the container workload from the underlying infrastructure.

By exploiting this vulnerability, an attacker can exfiltrate sensitive data. This includes accessing secrets mounted on the host, configuration files, or other protected areas of the CVM that were intended to be strictly isolated from the containerized application.

This flaw fundamentally circumvents the least privilege model. It compromises the primary value proposition of confidential computing by allowing unauthorized data access within the Trusted Execution Environment (TEE), rendering the hardware-level encryption and isolation guarantees ineffective against an internal threat.

The primary mitigation requires upgrading the Contrast CLI and re-generating the Kata agent policies. Organizations must update their local CLI tools to version v1.19.1 or later to access the corrected policy generation logic.

After upgrading the CLI, administrators must generate new security policies for all confidential container workloads. The patched CLI will output policies that properly restrict symlink resolution during file operations.

Finally, the affected confidential containers must be redeployed. The Kata agent requires the newly generated policy files to enforce the correct security posture. Running workloads will remain vulnerable until they are restarted with the updated policies.