A number of safety vulnerabilities have been disclosed within the runC command line software that could possibly be exploited by menace actors to flee the bounds of the container and stage follow-on assaults.
The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed Leaky Vessels by cybersecurity vendor Snyk.
“These container escapes might permit an attacker to realize unauthorized entry to the underlying host working system from throughout the container and probably allow entry to delicate information (credentials, buyer information, and many others.), and launch additional assaults, particularly when the entry gained consists of superuser privileges,” the corporate mentioned in a report shared with The Hacker Information.
runC is a software for spawning and operating containers on Linux. It was initially developed as a part of Docker and later spun out right into a separate open-source library in 2015.
A quick description of every of the failings is under –
- CVE-2024-21626 – WORKDIR: Order of operations container breakout
- CVE-2024-23651 – Mount Cache Race
- CVE-2024-23652 – Buildkit Construct-time Container Teardown Arbitrary Delete
- CVE-2024-23653 – Buildkit GRPC SecurityMode Privilege Verify
Probably the most extreme of the failings is CVE-2024-21626, which might end in a container escape centered across the `WORKDIR` command.
“This might happen by operating a malicious picture or by constructing a container picture utilizing a malicious Dockerfile or upstream picture (i.e. when utilizing `FROM`),” Snyk mentioned.
There isn’t any proof that any of the newly found shortcomings have been exploited within the wild up to now. That mentioned, the problems have been addressed in runC model 1.1.12 launched at the moment.
“As a result of these vulnerabilities have an effect on extensively used low-level container engine parts and container construct instruments, Snyk strongly recommends that customers test for updates from any distributors offering their container runtime environments, together with Docker, Kubernetes distributors, cloud container providers, and open supply communities,” the corporate mentioned.
In February 2019, runC maintainers addressed one other high-severity flaw (CVE-2019-5736, CVSS rating: 8.6) that could possibly be abused by an attacker to interrupt out of the container and acquire root entry on the host.