RunC Flaws Enable Container Escapes, Granting Attackers Host Access
Jan 31, 2024NewsroomSoftware Security / Linux Multiple security vulnerabilities have been disclosed in the runC command line tool that
Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks.
The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed Leaky Vessels by cybersecurity vendor Snyk.
“These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges,” the company said in a report shared with The Hacker News.
runC is a tool for spawning and running containers on Linux. It was originally developed as part of Docker and later spun out into a separate open-source library in 2015.
A brief description of each of the flaws is below –
- CVE-2024-21626 – WORKDIR: Order of operations container breakout
- CVE-2024-23651 – Mount Cache Race
- CVE-2024-23652 – Buildkit Build-time Container Teardown Arbitrary Delete
- CVE-2024-23653 – Buildkit GRPC SecurityMode Privilege Check
The most severe of the flaws is CVE-2024-21626, which could result in a container escape centered around the `WORKDIR` command.
“This could occur by running a malicious image or by building a container image using a malicious Dockerfile or upstream image (i.e. when using `FROM`),” Snyk said.
There is no evidence that any of the newly discovered shortcomings have been exploited in the wild to date. That said, the issues have been addressed in runC version 1.1.12 released today.
“Because these vulnerabilities affect widely used low-level container engine components and container build tools, Snyk strongly recommends that users check for updates from any vendors providing their container runtime environments, including Docker, Kubernetes vendors, cloud container services, and open source communities,” the company said.
In February 2019, runC maintainers addressed another high-severity flaw (CVE-2019-5736, CVSS score: 8.6) that could be abused by an attacker to break out of the container and obtain root access on the host.