The Path of Least Resistance: Bypassing AppArmor in runc via /proc Symlinks
Vulnerability ID: CVE-2023-28642
CVSS Score: 6.1
Published: 2023-03-29
A vulnerability in runc allowing attackers to bypass AppArmor and SELinux profiles by crafting container images with a symlinked /proc directory, effectively blinding the host's security controls.
TL;DR
runc < 1.1.5 allows container images to replace the /proc directory with a symbolic link. This confuses path-based security modules like AppArmor, causing them to fail to apply or enforce profiles correctly. An attacker can use this to bypass confinement and access sensitive host resources.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-281
- Attack Vector: Local (Image-based)
- CVSS: 6.1 (Medium)
- Privileges Required: None (User Interaction)
- User Interaction: Required (Victim must run image)
- Impact: Security Bypass (AppArmor/SELinux)
Affected Systems
- runc < 1.1.5
- Docker (dependent on bundled runc version)
- Kubernetes (dependent on node container runtime)
- Containerd (uses runc as default runtime)
-
runc: < 1.1.5 (Fixed in:
1.1.5)
Code Analysis
Commit: PR #378
Fix /proc symlink mount handling
if fi.Mode()&os.ModeSymlink != 0 { return fmt.Errorf("%s is a symlink", dest) }
Exploit Details
- ctrsploit: Container exploitation framework containing logic for mount/symlink bypasses
Mitigation Strategies
- Upgrade runc to version 1.1.5 or later.
- Enable User Namespaces (userns) to mitigate impact of LSM bypass.
- Implement admission controllers to reject images with symlinked system directories.
Remediation Steps:
- Check current runc version:
runc --version. - Update the container runtime packages (e.g.,
containerd.io,docker-ce) which bundle the newer runc binary. - Restart the container daemon (dockerd/containerd) to apply changes.
References
Read the full report for CVE-2023-28642 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)