CVE-2023-27561 - Runc Incorrect Access Control Leads to Escalation of Privileges: Analyzing How an Old Issue Resurfaces

As a robust and popular container runtime engine, runc is a critical component in modern development and infrastructure management. Unfortunately, maintaining its security and stability is an ever-evolving challenge. The recent discovery of CVE-2023-27561 highlights a key vulnerability in runc (versions through 1.1.4) with incorrect access control, leading to potential privilege escalation. In this post, we'll delve into the specifics of this vulnerability, the relationship to its precursor CVE-2019-19921, and the conditions required to exploit it.

Analysis

CVE-2023-27561 directly affects the libcontainer/rootfs_linux.go file, which is responsible for managing containers' file system operations. A lack of proper access control mechanisms in this file allows attackers to potentially exploit the vulnerability to gain unintended privileges within the affected container environment. Interestingly, CVE-2019-19921, a previously disclosed vulnerability, had a similar effect – leading one to wonder how this regression occurred.

To better understand the CVE-2023-27561 vulnerability, let's take a look at the code snippet from libcontainer/rootfs_linux.go highlighted by researchers:

func remount(m *configs.Mount, rootfs, mntDir string) error {
...
flags |= syscall.MS_REC
...
if err := syscall.Mount(m.Source, mntDir, m.Device, uintptr(flags), ""); err != nil {
...
}
...

The code above, specifically the use of syscall.Mount, lacks proper access control mechanisms leading to the potential escalation of privileges. This issue seems to be a regression caused by the incomplete resolution of the earlier CVE-2019-19921 vulnerability.

Be able to run custom images inside the containers.

In order to create this scenario, the attacker can use the Docker command-line interface (CLI) to create custom images and then mount the volumes accordingly. Once this has been accomplished, the attacker may manipulate the containers' operations to escalate their privileges within the environment. It is important to note that this vulnerability does not have any known active exploits at the time of writing. However, being aware of these conditions and taking preventive measures is crucial for ensuring security.

Mitigation

To safeguard against CVE-2023-27561 exploitation, users must update runc to version 1.1.5 or later, which patches the vulnerability. It is also advisable to restrict access to custom images and volume-mount configurations, ensuring that only trusted parties can create and manage them.

References

1. Original advisory for CVE-2023-27561
2. CVE-2019-19921 reference
3. Runc GitHub Repository
4. Docker Engine (includes runc) release notes

Conclusion

CVE-2023-27561 reflects the ongoing struggle to maintain security within complex software ecosystems. The fact that this vulnerability is a regression from a previous issue reinforces the importance of comprehensive security testing and vigilance. Developers, administrators, and users must always be more conscious of the ever-evolving landscape of vulnerabilities and potential exploits. By staying informed and practicing secure configuration and deployment methods, organizations can significantly minimize the risks associated with such vulnerabilities. Remember to always update your software components, especially critical runtime engines like runc, to the latest versions to ensure you are protected against known security issues.

Timeline

Published on: 03/03/2023 19:15:00 UTC
Last modified on: 04/21/2023 04:15:00 UTC