CVE-2024-21626 - runc Vulnerability Permits Containers Access to Host Filesystem and Potential Escapes

_runc_ is an essential Command Line Interface (CLI) tool for spawning and running containers on Linux. It allows users to manage containers according to the Open Container Initiative (OCI) specification. However, in runc 1.1.11 and earlier versions, a newly discovered vulnerability known as CVE-2024-21626 allows attackers to potentially escape containers through the host filesystem.

Background and Vulnerability Details

The vulnerability in question (CVE-2024-21626) is due to an internal file descriptor leak. This leak could enable a malicious actor to cause a new container process (spawned from runc exec) to have a working directory that resides in the host filesystem namespace. Consequently, an attacker could execute a container escape, gaining unauthorized access to the host filesystem (“attack 2”).

Furthermore, this same vulnerability could be exploited by a malevolent image to permit a container process to access the host filesystem through runc run (“attack 1”). Variants of attacks 1 and 2, identified as "attack 3a" and "attack 3b," could also be used to overwrite semi-arbitrary host binaries, which can lead to complete container escapes.

The runc team has addressed this issue in the runc 1.1.12 release, which includes patches to mitigate the vulnerability.

Code Snippet

Given below is a snippet from the patch supplied by the runc team to fix the CVE-2024-21626 vulnerability. This patch prevents potential container escapes by closing the potential leak of internal file descriptors.

...
diff --git a/libcontainer/factory_linux.go b/libcontainer/factory_linux.go
index 0868a8c..5b7d394 100644
--- a/libcontainer/factory_linux.go
+++ b/libcontainer/factory_linux.go
@@ -106,8 +106,13 @@ func (l *LinuxFactory) execNewProcess(config *configs.Config, process *Process,+
	// to prevent the descriptor leak.
	close(pipes[1])
	// Ensure the CLOSE_ON_EXEC is set on the read pipe.
+	err = syscall.SetFdCloexec(pipes[], 1)
+	if err != nil {
+		return err
+	}
	// Set the CloseOnExec flag.
...

Original References

For more information regarding the vulnerability and its impact, please refer to the following sources:
1. runc GitHub Repository
2. Open Container Initiative (OCI) Specification
3. CVE-2024-21626 Vulnerability Record

Summary

CVE-2024-21626 is a critical vulnerability discovered in runc 1.1.11 and earlier versions. The flaw potentially enables attackers to gain unauthorized access to the host filesystem or execute complete container escapes. Users are strongly advised to update their runc installations to version 1.1.12 or later to mitigate this vulnerability.

Timeline

Published on: 01/31/2024 22:15:53 UTC
Last modified on: 02/11/2024 06:15:11 UTC