RunC Flaws Enable Container Escapes, Granting Attackers Host Access
Multiple security vulnerabilities have been disclosed in the runC command line tool that could be exploited by threat actors to escape the bounds of the container and stage follow-on attacks.
The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, have been collectively dubbed Leaky Vessels by cybersecurity vendor Snyk.
“These container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges,” the company said in a report shared with The Hacker News.
runC is a tool for spawning and running containers on Linux. It was originally developed as part of Docker and later spun out into a separate open-source library in 2015.
A brief description of each of the flaws is below –
- CVE-2024-21626 (CVSS score: 8.6) – runC process.cwd and leaked fds container breakout
- CVE-2024-23651 (CVSS score: 8.7) – Build-time race condition container breakout
- CVE-2024-23652 (CVSS score: 10.0) – Buildkit Build-time Container Teardown Arbitrary Delete
- CVE-2024-23653 (CVSS score: 9.8) – GRPC SecurityMode privilege check: Build-time container breakout
The most severe of the flaws is CVE-2024-21626, which could result in a container escape centered around the `WORKDIR` command.
“This could occur by running a malicious image or by building a container image using a malicious Dockerfile or upstream image (i.e. when using `FROM`),” Snyk said.
There is no evidence that any of the newly discovered shortcomings have been exploited in the wild to date. That said, the issues have been addressed in runC version 1.1.12 released today following responsible disclosure in November 2023.
“Because these vulnerabilities affect widely used low-level container engine components and container build tools, Snyk strongly recommends that users check for updates from any vendors providing their container runtime environments, including Docker, Kubernetes vendors, cloud container services, and open source communities,” the company said.
Docker, in an independent advisory, said the vulnerabilities can only be exploited if a user actively engages with malicious content by incorporating it into the build process or running a container from a rogue image.
“Potential impacts include unauthorized access to the host filesystem, compromising the integrity of the build cache, and, in the case of CVE-2024-21626, a scenario that could lead to full container escape,” Docker said.
Amazon Web Services (AWS) and Google Cloud have also released alerts of their own, urging customers to take appropriate action as and where necessary.
In February 2019, runC maintainers addressed another high-severity flaw (CVE-2019-5736, CVSS score: 8.6) that could be abused by an attacker to break out of the container and obtain root access on the host.
Cloud and container security weaknesses continue to be an attack risk, what with organizations granting excessive permissions and administrative privileges to accounts during initial setup, leaving behind misconfiguration and privilege escalation opportunities for attackers.
“This practice creates undue risk when a majority of severe cloud security incidents with material impact are tied to the failed management of identities, access, and privileges,” Sysdig noted in its 2024 Cloud-Native Security and Usage Report. “It’s often the initial attack vector in an attack chain, and this identity compromise inevitably leads to application abuse, system compromise, or data exfiltration.”
(The story was updated after publication to include additional advisories published by Docker, AWS, and Google Cloud.)