runc Vulnerability Allows Container Escape and Host File Access
CVE-2024-21626
Key Information
- Vendor
- Opencontainers
- Status
- Runc
- Vendor
- CVE Published:
- 31 January 2024
Badges
What is CVE-2024-21626?
CVE-2024-21626 is a significant vulnerability affecting runc, a widely used command-line interface tool for managing and running containers on Linux in accordance with the Open Container Initiative (OCI) specifications. This vulnerability arises from an internal file descriptor leak in versions 1.1.11 and earlier, which could be exploited by attackers to escape from a container and gain unauthorized access to the host's file system. Such access could potentially lead to severe security incidents, allowing malicious actors to manipulate host binaries and disrupt operations, thereby compromising the integrity and confidentiality of sensitive data.
Technical Details
The vulnerability stems from how runc handles file descriptors, specifically allowing a newly-launched container process to inherit a working directory within the host filesystem namespace. The two primary exploitation vectors include invoking a command via runc exec
or using a malicious container image with runc run
. Both approaches could lead to an attacker executing arbitrary commands in the host file system, resulting in complete container escapes. Variants of these attacks further amplify the risk by permitting overwriting of semi-arbitrary host binaries.
Impact of the Vulnerability
-
Container Escape: Successful exploitation can allow an attacker to escape the confines of a container, gaining unauthorized access to the host system's resources and data.
-
System Integrity Compromise: By overwriting host binaries, an attacker could disrupt essential services, leading to system instability or complete failure of critical processes.
-
Data Breach and Loss: Access to the host filesystem can result in the exposure or deletion of sensitive information, posing a grave threat to organizational confidentiality and compliance with data protection regulations.
Affected Version(s)
runc = >=v1.0.0-rc93, < 1.1.12
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
News Articles
Illustrate runC Escape Vulnerability CVE-2024โ21626 with my tests
For runC, a container runtime component, published version 1.1.12 to fix CVE-2024-21626 at 31, Jan 2024, which leads to escaping from containers. The range of affected versions are >= v1.0.0-rc93โฆ
11 months ago
runc working directory breakout (CVE-2024-21626)
An analysis of CVE-2024-21626 which is a vulnerability in runc that allows for container breakout.
11 months ago
Leaky Vessels: Deep Dive on Container Escape Vulnerabilities | Wiz Blog
'Leaky Vessels' is a set of container escape vulnerabilities affecting runC and BuildKit. Learn how they work and what security teams can do to mitigate them.
11 months ago
References
EPSS Score
1% chance of being exploited in the next 30 days.
CVSS V3.1
Timeline
- ๐ก
Public PoC available
- ๐พ
Exploit known to exist
- ๐ฅ
Vulnerability reached the number 1 worldwide trending spot
- ๐
Vulnerability started trending
- ๐ฐ
First article discovered by Snyk
Vulnerability published
Vulnerability Reserved