13 results (0.009 seconds)

CVSS: 3.6EPSS: 0%CPEs: 2EXPL: 0

CVE-2024-45310 – runc can be confused to create empty files/directories on the host

https://notcve.org/view.php?id=CVE-2024-45310

runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be truncated. An attacker must have the ability to start containers using some kind of custom volume configuration. Containers using user namespaces are still affected, but the scope of places an attacker can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's scope but the exact scope of protection hasn't been analysed. • https://github.com/opencontainers/runc/commit/63c2908164f3a1daea455bf5bcd8d363d70328c7 https://github.com/opencontainers/runc/commit/8781993968fd964ac723ff5f360b6f259e809a3e https://github.com/opencontainers/runc/commit/f0b652ea61ff6750a8fcc69865d45a7abf37accf https://github.com/opencontainers/runc/pull/4359 https://github.com/opencontainers/runc/security/advisories/GHSA-jfvp-7x6p-h2pv • CWE-61: UNIX Symbolic Link (Symlink) Following CWE-363: Race Condition Enabling Link Following •

CVSS: 8.6EPSS: 5%CPEs: 2EXPL: 13

CVE-2024-21626 – runc container breakout through process.cwd trickery and leaked fds

https://notcve.org/view.php?id=CVE-2024-21626

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue. runc es una herramienta CLI para generar y ejecutar contenedores en Linux de acuerdo con la especificación OCI. En runc 1.1.11 y versiones anteriores, debido a una fuga interna de un descriptor de archivo, un atacante podría provocar que un proceso contenedor recién generado (de runc exec) tuviera un directorio de trabajo en el espacio de nombres del sistema de archivos del host, lo que permitiría un escape del contenedor al otorgar acceso. al sistema de archivos del host ("ataque 2"). • https://github.com/NitroCao/CVE-2024-21626 https://github.com/cdxiaodong/CVE-2024-21626 https://github.com/KubernetesBachelor/CVE-2024-21626 https://github.com/Wall1e/CVE-2024-21626-POC https://github.com/V0WKeep3r/CVE-2024-21626-runcPOC https://github.com/zpxlz/CVE-2024-21626-POC https://github.com/zhangguanzhang/CVE-2024-21626 https://github.com/laysakura/CVE-2024-21626-demo https://github.com/Sk3pper/CVE-2024-21626 https://github.com/abian2/CVE-2024-21626 https:// • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-403: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') CWE-668: Exposure of Resource to Wrong Sphere •

CVSS: 6.3EPSS: 0%CPEs: 1EXPL: 1

CVE-2023-25809 – rootless: `/sys/fs/cgroup` is writable when cgroupns isn't unshared in runc

https://notcve.org/view.php?id=CVE-2023-25809

runc is a CLI tool for spawning and running containers according to the OCI specification. In affected versions it was found that rootless runc makes `/sys/fs/cgroup` writable in following conditons: 1. when runc is executed inside the user namespace, and the `config.json` does not specify the cgroup namespace to be unshared (e.g.., `(docker|podman|nerdctl) run --cgroupns=host`, with Rootless Docker/Podman/nerdctl) or 2. when runc is executed outside the user namespace, and `/sys` is mounted with `rbind, ro` (e.g., `runc spec --rootless`; this condition is very rare). A container may gain the write access to user-owned cgroup hierarchy `/sys/fs/cgroup/user.slice/...` on the host . Other users's cgroup hierarchies are not affected. Users are advised to upgrade to version 1.1.5. • https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17 https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc https://access.redhat.com/security/cve/CVE-2023-25809 https://bugzilla.redhat.com/show_bug.cgi?id=2182884 • CWE-276: Incorrect Default Permissions CWE-281: Improper Preservation of Permissions •

CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0

CVE-2023-28642 – AppArmor bypass with symlinked /proc in runc

https://notcve.org/view.php?id=CVE-2023-28642

runc is a CLI tool for spawning and running containers according to the OCI specification. It was found that AppArmor can be bypassed when `/proc` inside the container is symlinked with a specific mount configuration. This issue has been fixed in runc version 1.1.5, by prohibiting symlinked `/proc`. See PR #3785 for details. users are advised to upgrade. Users unable to upgrade should avoid using an untrusted container image. • https://github.com/opencontainers/runc/pull/3785 https://github.com/opencontainers/runc/security/advisories/GHSA-g2j6-57v7-gm8c https://access.redhat.com/security/cve/CVE-2023-28642 https://bugzilla.redhat.com/show_bug.cgi?id=2182883 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-281: Improper Preservation of Permissions CWE-305: Authentication Bypass by Primary Weakness •

CVSS: 7.0EPSS: 0%CPEs: 5EXPL: 1

CVE-2023-27561 – runc: volume mount race condition (regression of CVE-2019-19921)

https://notcve.org/view.php?id=CVE-2023-27561

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression. A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume. • https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334 https://github.com/opencontainers/runc/issues/3751 https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF https://lists.fedoraproject.org • CWE-41: Improper Resolution of Path Equivalence CWE-706: Use of Incorrectly-Resolved Name or Reference •