Executive Summary

NanoClaw contains a host/container filesystem boundary vulnerability related to outbound attachment handling and outbox cleanup.

This vulnerability allows a compromised or prompt-injected container to read files outside the intended outbox directory by using specially crafted messages_out.id and content.files values or by creating symlinked outbox files.

Attackers exploiting this vulnerability can cause the host system to read arbitrary files and, in some cases, perform recursive deletion of paths outside the intended cleanup target.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts including unauthorized reading of arbitrary files on the host system from a compromised container.

Additionally, attackers may be able to trigger recursive deletion of files or directories outside the intended cleanup scope, potentially leading to data loss or system instability.

Given the high CVSS scores (9.3 for v4.0 and 8.8 for v3.1), the vulnerability poses a critical risk to confidentiality, integrity, and availability of the affected system.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows a compromised container to read or delete arbitrary files on the host system outside the intended directories. Such unauthorized access to sensitive files could lead to exposure or loss of personal or protected data.

Because the vulnerability enables unauthorized file reads and deletions, it could impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Exploitation of this vulnerability could result in breaches of confidentiality, integrity, and availability of data, potentially leading to regulatory violations and associated penalties.

Useful 0 Not Useful 0

Detection Guidance

Detection of this vulnerability involves identifying attempts by containers to exploit path traversal sequences or symlinks in message outbox files to access or delete files outside the intended directories.

You can monitor for suspicious file access patterns or recursive deletions originating from container processes, especially those involving filenames with sequences like '../../../' or unexpected symlinked files in the outbox directory.

Suggested commands include:

• Use 'find' to detect symlinks in the outbox directory: find /path/to/outbox -type l
• Check for unusual filenames with path traversal patterns: ls /path/to/outbox | grep '\.\./'
• Monitor file access or deletion events using auditd or inotify tools targeting the outbox directory.
• Review container logs for suspicious messages containing crafted message IDs or filenames.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include applying the security patches that enforce strict path validation and containment checks on the host side.

Specifically, ensure that the NanoClaw host process validates message IDs and filenames as simple basenames, rejects symlinks and non-file paths, and verifies that resolved paths remain within the canonical message outbox directory.

Additionally, treat all container-controlled data as untrusted and avoid trusting container-supplied paths without validation.

If patches are not immediately available, consider restricting container privileges and isolating the affected components to limit potential exploitation.

Useful 0 Not Useful 0