DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2024-21626: Leaky Vessels: Escaping the Container Ship with CVE-2024-21626

#security #cve #cybersecurity

Leaky Vessels: Escaping the Container Ship with CVE-2024-21626

Vulnerability ID: CVE-2024-21626
CVSS Score: 8.6
Published: 2023-12-21

CVE-2024-21626 is a critical vulnerability in runc, the low-level container runtime underpinning Docker, Kubernetes, and other major containerization platforms. The flaw stems from a race condition and file descriptor leak when processing the WORKDIR instruction for a new container or when using runc exec. A malicious actor can craft a container image that tricks runc into retaining a handle to the host filesystem, allowing the container to break out of its isolation and achieve full remote code execution on the underlying host machine, completely shattering the security boundary of containerization.

TL;DR

A flaw in runc's WORKDIR handling allows a malicious container to escape its sandbox. By racing runc's initialization process, the container can trick it into opening a file handle to the host's filesystem. This provides a direct path to host access, leading to a full container escape and RCE on the node.

⚠️ Exploit Status: ACTIVE

Technical Details

  • CWE ID: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
  • Attack Vector: Local (Attacker must be able to run a malicious container on the host)
  • CVSS Score: 8.6 (High)
  • CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Impact: Container Escape, Host RCE
  • Exploit Status: Active Exploitation / Public PoC
  • KEV Status: Listed in CISA KEV Catalog
  • EPSS Score: 90.25% (0.90252)

Affected Systems

  • runc
  • Docker Engine
  • containerd
  • Podman
  • CRI-O
  • Kubernetes clusters relying on vulnerable runtimes
  • runc: < 1.1.12 (Fixed in: 1.1.12)

Exploit Details

  • GitHub: Official GitHub Security Advisory for runc.
  • Snyk Blog: Detailed technical writeup on the 'Leaky Vessels' vulnerabilities, including CVE-2024-21626.

Mitigation Strategies

  • Update runc to version 1.1.12 or later. This is the primary and most effective mitigation.
  • Implement strict Seccomp profiles to filter and block unnecessary system calls for containers.
  • Utilize Mandatory Access Control (MAC) systems like AppArmor or SELinux to confine container processes, preventing them from accessing unauthorized host paths.
  • Follow the principle of least privilege: run containers as non-root users wherever possible to limit the immediate impact of a compromise.
  • Use container-aware security monitoring to detect anomalous behavior, such as a process attempting to access /proc/self/fd/ or unexpected host files.

Remediation Steps:

  1. Identify all systems running container runtimes like Docker, containerd, or Podman.
  2. Check the installed version of runc. On most systems, you can run runc --version.
  3. Update your container runtime packages to the latest available version from your distribution's package manager (e.g., apt-get update && apt-get install docker-ce containerd.io).
  4. For Kubernetes clusters, this typically involves upgrading the node images to a version that includes the patched runc binary and then cycling the nodes in your cluster.
  5. Verify the patch by checking the runc version again after the update to ensure it is 1.1.12 or higher.

References

Read the full report for CVE-2024-21626 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)