CVE-2024-21626

Description

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

CVSS Metrics

• v3.1•HIGH•Score: 8.6CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

EPSS Trends

Current EPSS score: 5.08%• Percentile: 90%

Techniques & Countermeasures

• CWE-403•Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

  A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.

• CWE-668•Exposure of Resource to Wrong Sphere

  The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.

Affected Systems

• fedoraproject•fedora

  39

• github.com/opencontainers•runc

  ≥ 1.0.0-rc93, < 1.1.12

• linuxfoundation•runc

  < 1.1.12

• opencontainers•runc

  ≥ v1.0.0-rc93, < 1.1.12

References (14)

• https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
• https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
• https://github.com/opencontainers/runc/releases/tag/v1.1.12
• http://www.openwall.com/lists/oss-security/2024/02/01/1
• http://www.openwall.com/lists/oss-security/2024/02/02/3
• http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/
• https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html
• https://www.vicarius.io/vsociety/posts/leaky-vessels-part-1-cve-2024-21626
• https://nvd.nist.gov/vuln/detail/CVE-2024-21626
• https://github.com/opencontainers/runc
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL