Описание
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
A file descriptor leak issue was found in the runc package. While a user performs O_CLOEXEC all file descriptors before executing the container code, the file descriptor is open when performing setcwd(2), which means that the reference can be kept alive in the container by configuring the working directory to be a path resolved through the file descriptor. The non-dumpable bit is unset after execve, meaning there are multiple ways to attack this other than bad configurations. The only way to defend against it entirely is to close all unneeded file descriptors.
Отчет
These vulnerabilities not only enable malicious actors to escape containerized environments but also allow for full control over the underlying host system. With the widespread adoption of containerization technologies in both development and production environments, such exploits pose significant risks to data integrity, confidentiality, and system stability. OpenShift Container Platform ships with SELinux in targeted enforcing mode, which prevents the container processes from accessing host content and mitigates this attack, and disabling SELinux on the Openshift container platform is not supported. Hence, the impact of the Openshift Container Platform is reduced to Moderate. For multicluster-engine (MCE) vulnerable versions of buildkit and runc are part of installed version of oc. However, they are not affecting the higher-level assisted-installer binary in MCE. The presence of these dependencies in the container does not imply a security risk to the containerized application itself, as it is based on low-level packages included in the oc binary, and the impact to the container's core functionality is minimal. This flaw doesn't affect the OpenShift Tools & Services as the affected code is only used for testing and is not exposed to the final user.
Меры по смягчению последствий
Red Hat Enterprise Linux (RHEL) and OpenShift ships with SELinux in targeted enforcing mode, which prevents the container processes from accessing host content and mitigates this attack. Dockerfiles can be inspected on the 'RUN' and 'WORKDIR' directives to ensure that there are no escapes or malicious paths, which are an indication of compromise. Limiting access and only using trusted container images can help prevent unauthorized access and malicious attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | ocp-tools-4/jenkins-agent-base-rhel8 | Under investigation | ||
| Power monitoring for Red Hat OpenShift | kepler-container | Under investigation | ||
| Red Hat Enterprise Linux 10 | buildah | Not affected | ||
| Red Hat Enterprise Linux 10 | containers-common | Not affected | ||
| Red Hat Enterprise Linux 10 | podman | Not affected | ||
| Red Hat Enterprise Linux 9 | buildah | Under investigation | ||
| Red Hat Enterprise Linux 9 | podman | Not affected | ||
| Red Hat OpenShift Container Platform 4 | buildah | Under investigation | ||
| Red Hat OpenShift Container Platform 4 | cri-o | Under investigation | ||
| Red Hat OpenShift Container Platform 4 | cri-tools | Under investigation |
Показывать по
Дополнительная информация
Статус:
8.6 High
CVSS3
Связанные уязвимости
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.
GitHub: CVE-2024-21626 Container breakout through process.cwd trickery and leaked fds
runc is a CLI tool for spawning and running containers on Linux accord ...
8.6 High
CVSS3