runc Vulnerability Allows Container Escape and Host File Access

CVE-2024-21626

8.6HIGH

Key Information

Vendor
Opencontainers
Status
Runc
Vendor
CVE Published:
31 January 2024

Badges

๐Ÿฅ‡ Trended No. 1๐Ÿ“ˆ Trended๐Ÿ“ˆ Score: 15,800๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC๐Ÿ“ฐ News Worthy

What is CVE-2024-21626?

CVE-2024-21626 is a significant vulnerability affecting runc, a widely used command-line interface tool for managing and running containers on Linux in accordance with the Open Container Initiative (OCI) specifications. This vulnerability arises from an internal file descriptor leak in versions 1.1.11 and earlier, which could be exploited by attackers to escape from a container and gain unauthorized access to the host's file system. Such access could potentially lead to severe security incidents, allowing malicious actors to manipulate host binaries and disrupt operations, thereby compromising the integrity and confidentiality of sensitive data.

Technical Details

The vulnerability stems from how runc handles file descriptors, specifically allowing a newly-launched container process to inherit a working directory within the host filesystem namespace. The two primary exploitation vectors include invoking a command via runc exec or using a malicious container image with runc run. Both approaches could lead to an attacker executing arbitrary commands in the host file system, resulting in complete container escapes. Variants of these attacks further amplify the risk by permitting overwriting of semi-arbitrary host binaries.

Impact of the Vulnerability

  1. Container Escape: Successful exploitation can allow an attacker to escape the confines of a container, gaining unauthorized access to the host system's resources and data.

  2. System Integrity Compromise: By overwriting host binaries, an attacker could disrupt essential services, leading to system instability or complete failure of critical processes.

  3. Data Breach and Loss: Access to the host filesystem can result in the exposure or deletion of sensitive information, posing a grave threat to organizational confidentiality and compliance with data protection regulations.

Affected Version(s)

runc = >=v1.0.0-rc93, < 1.1.12

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

News Articles

Illustrate runC Escape Vulnerability CVE-2024โ€“21626 with my tests

For runC, a container runtime component, published version 1.1.12 to fix CVE-2024-21626 at 31, Jan 2024, which leads to escaping from containers. The range of affected versions are >= v1.0.0-rc93โ€ฆ

11 months ago

runc working directory breakout (CVE-2024-21626)

An analysis of CVE-2024-21626 which is a vulnerability in runc that allows for container breakout.

11 months ago

Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog

'Leaky Vessels' is a set of container escape vulnerabilities affecting runC and BuildKit. Learn how they work and what security teams can do to mitigate them.

11 months ago

References

EPSS Score

1% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • ๐Ÿฅ‡

    Vulnerability reached the number 1 worldwide trending spot

  • ๐Ÿ“ˆ

    Vulnerability started trending

  • ๐Ÿ“ฐ

    First article discovered by Snyk

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre DatabaseOpencontainers Feed4 Proof of Concept(s)11 News Article(s)
.