Numerous security vulnerabilities were discovered in the runC command-line tool that could be exploited by threat actors to escape container boundaries and mount follow-on attacks.
The vulnerabilities, tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, were collectively named Leaking vessels from cybersecurity provider Snyk.
“These container leaks could allow an attacker to gain unauthorized access to the underlying host operating system from within the container and potentially allow access to sensitive data (credentials, customer information, etc.) and launch further attacks , especially when the access gained includes superuser privileges,” the company said in a report shared with The Hacker News.
runC is a tool for generating and running containers on Linux. It was originally developed as part of Docker and later made into a separate open source library in 2015.
Below is a brief description of each of the defects:
- CVE-2024-21626 – WORKDIR: order of container breakout operations
- CVE-2024-23651 – Monte Cache race
- CVE-2024-23652 – Arbitrary elimination of container disassembly when creating the Buildkit kit
- CVE-2024-23653 – SecurityMode Buildkit GRPC mode privilege check
The most serious flaw is CVE-2024-21626, which could lead to a container escape centered on the “WORKDIR” command.
“This could occur by running a malicious image or building a container image using a malicious Dockerfile or upstream image (for example when using `FROM`),” Snyk said.
To date there is no evidence that any of the newly discovered flaws have been exploited in the wild. That said, the issues have been resolved in runC version 1.1.12 released today.
“Because these vulnerabilities affect widely used low-level container engine components and container building tools, Snyk strongly advises users to check for updates from any vendor providing their container runtime environments, including Docker, Kubernetes, cloud container services, and open source communities,” the company explained.
In February 2019, runC maintainers fixed another high-severity flaw (CVE-2019-5736, CVSS score: 8.6) that an attacker could abuse to break out of the container and gain root access on the host .