overview
Recently, NSFOCUS CERT detected that runc has officially issued a security notice and fixed a container escape vulnerability (CVE-2024-21626). Because runc’s internal file descriptors are leaked during initialization and the final working directory is not verified to be in the container’s mount namespace, attackers can perform container escapes in various ways.
1. runc leaks some file descriptors containing host /sys/fs/cgroup handles to runc init, allowing a privileged user to perform malicious container mirroring if the container is configured as process.cwd The spawned PID1 process now has a working directory. It is added to the host mount namespace, allowing the spawned process to access the entire host file system.
2. Because runc exec also involves file descriptor leakage and lack of working directory validation, a malicious process within a container can runc exec if the administrative process runs runc exec with the -cwd parameter and a specified path. If you know what to call, you might replace this path with the following path: Use the /proc/self/fd/7/ symbolic link. When a container process executes a binary in the container image, the PR_SET_DUMPABLE protection can be bypassed, allowing an attacker to access the host file system by opening /proc/$exec_pid/cwd.
3. Attacks 1 and 2 could potentially overwrite the host binaries by using a path like /proc/self/fd/7/../../bin/bash as the process.args binary parameter. there is.
Binaries such as /bin/bash can be overwritten, allowing an attacker to gain full access to the host if a privileged user runs the target binary on the host.
Runc is a CLI tool for building and running containers on Linux according to the OCI specification. Runc runs in containers such as Docker, containerd, Podman, and CRI-O by default. It has a wide range of applications and supports multiple container formats. Containers can be run directly without using Docker Engine.
Reference link: https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
Impact range
Affected versions
1.0.0-rc93 <= runc <= 1.1.11
Unaffected version
runc >= 1.1.12
relief
official upgrade
This vulnerability has now been officially fixed in the latest version. Please upgrade your version as soon as possible to be protected. Official download link: https://github.com/opencontainers/runc/releases
statement
This advisory is only used to describe potential risks. NSFOCUS makes no promises or undertakings regarding this recommendation. NSFOCUS and the authors assume no responsibility for any direct and/or indirect consequences and losses caused by the submission and/or use of this advisory. NSFOCUS reserves all rights to modify and interpret this advisory. If you reproduce or transmit this advisory, please include this statement paragraph. Do not modify this advisory, add/delete information, or use this advisory for commercial purposes without permission from NSFOCUS.
About NSFOCUS
NSFOCUS, Inc. is a global leader in network and cyber security, protecting businesses and carriers from advanced cyber attacks. The company’s intelligent hybrid security strategy leverages both cloud and on-premises security platforms built on a foundation of real-time global threat intelligence to provide multi-layered, integrated and dynamic protection against advanced cyber-attacks. Masu.
NSFOCUS works with Fortune Global 500 companies, including four of the world’s five largest financial institutions, organizations in the insurance, retail, healthcare and critical infrastructure industries, and government agencies. NSFOCUS has technology and channel partners in more than 60 countries and is a member of both the Microsoft Active Protections Program (MAPP) and the Cloud Security Alliance (CSA).
A wholly owned subsidiary of NSFOCUS Technologies Group Co., Ltd., the company has operations in the Americas, Europe, the Middle East, and Asia Pacific.
post Runc container escape vulnerability alert It first appeared NSFOCUS, Inc. is a global leader in network and cyber security, protecting businesses and carriers from advanced cyber attacks..
*** This is a syndicated blog from the Security Bloggers Network. NSFOCUS, Inc. is a global leader in network and cyber security, protecting businesses and carriers from advanced cyber attacks. Written by NSFOCUS. See the original post here: https://nsfocusglobal.com/runc-container-escape-vulnerability-alert/