An attacker can exploit a security vulnerability in the open-source runc container runtime engine (used by Docker and others) to gain control of the host machine.
Translated from Leaky Vessels Vulnerability Sinks Container Security by Joab Jackson is a senior editor at The New Stack covering cloud-native computing and system operations. He has been covering IT infrastructure and development for more than 25 years, having held positions at IDG and Government Computer News. Researchers have discovered a vulnerability in the open-source runc container engine, large enough to allow an attacker to easily traverse and enter the underlying host operating system, causing various harms to your system.
"An attacker could exploit [this vulnerability] to gain unauthorized access to the underlying host operating system from inside a container," security firm SNYK suggested in a blog post on Wednesday. This vulnerability, along with a host of other vulnerabilities, is what they call "leaky vessels." The maintainers of the runc command line interface first identified the original issue, a leaked file descriptor, and quickly released an update, runc v112. Fixed core issue (described in CVE-2024-21626). However, until everyone upgrades, users of tools such as Docker, Kubernetes, and cloud-based container services should keep an eye out for patches released by vendors, SNYK advises. Tools like docker use runc as their default container runtime engine. Docker originally created the runc and then passed it on to the Open Container Initiative to maintain as a vendor-neutral open source project. On Wednesday, Docker quickly released a patch for Runc, as well as related vulnerabilities found in the open-source MobyDocker engine and buildkit. GitHub has rated this vulnerability as 86, which is "High Risk" on the CVSS rating criteria, means that the vulnerability could cause significant downtime and/or data loss, although difficult to exploit. docker states that it can also be used to contaminate the integrity of the build cache. Researchers at SNYK report that to date, no attacks exploiting this vulnerability have been found globally.
With such a vulnerability, an attacker could gain access to and take over the underlying operating system. From there, they can access other data on the system, such as credentials, and launch further attacks.
With the widespread use of containerization technology in development and production environments, this type of attack poses a significant risk to data integrity, confidentiality, and system stability," Red Hat noted in Thursday's announcement. The system can be affected, either by running an attacked** contaminated image, or by building a container by using a malicious dockerfile or upstream image. "These vulnerabilities can only be exploited if a user incorporates malicious content into the build process or runs a container from a suspicious image," Gabriela Georgieva, senior security engineer at Docker, wrote in a blog post Wednesday. "We strongly encourage all customers to prioritize security by applying these updates in a timely manner. Applying these updates in a timely manner is the most effective measure to protect your system from these vulnerabilities and maintain a safe and secure Docker environment. ”
Red Hat recommends checking the Dockerfile with the Run and Workdir directives to ensure that there are no escape or malicious paths. For Linux kernels that support EBPF, SNYK has released a tool to detect the vulnerability called leaky-vessels-runtime-detector. Snyk has reported three runc-related vulnerabilities in BuildKit. All of these vulnerabilities are rated as high-sever:
CVE-2024-23651: buildkit mount cache racecve-2024-23653: buildkit grpc securitymode privilege checkcve-2024-23652: buildkit build-time container teardown arbitrary deleterunc engine is " One of the lower-level container runtimes, so users typically don't interact directly with runc, but through other abstractions at the top level, and then use runc to execute commands," explains Jimmy Mesta, CTO and co-founder of KSOC, a Kubernetes security company, in a blog post. "runc works with other software, such as buildkit, to do things like decompress image layers and start container processes, place file systems in place, and clean up those processes and files after the container is deleted. In the container runtime, BuildKit will be the tool for building images, while Runc will do the actual work of each step. "This isn't the first time Runc has been plagued by accidental escape routes. In 2019, TNS reported on the discovery of Runcescape (CVE-2019-5736) by Polish researchers while they were investigating namespace-based sandboxes.