CVE-2019-19921

runc: volume mount race condition with shared mounts leads to information leak/integrity manipulation

Severity Score

7.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

runc through 1.0.0-rc9 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. (This vulnerability does not affect Docker due to an implementation detail that happens to block the attack.)

runc versiones hasta 1.0.0-rc9, posee un Control de Acceso Incorrecto conllevando a una escalada de privilegios, relacionado con el archivo libcontainer/rootfs_linux.go. Para explotar esto, un atacante debe ser capaz de generar dos contenedores con configuraciones de montaje de volumen personalizadas y ser capaz de ejecutar imágenes personalizadas. (Esta vulnerabilidad no afecta a Docker debido a un detalle de implementación que bloquea el ataque).

A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization, by adding a symlink to the rootfs that points to a directory on the volume. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

USN-6088-1 fixed vulnerabilities in runC. This update provides the corresponding updates for Ubuntu 16.04 LTS. It was discovered that runC incorrectly performed access control when mounting /proc to non-directories. An attacker could possibly use this issue to escalate privileges. Felix Wilhelm discovered that runC incorrecly handled netlink messages. An attacker could possibly use this issue to escalate privileges.

*Credits: N/A

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Medium

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-12-22 CVE Reserved
2020-02-12 CVE Published
2024-08-05 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-41: Improper Resolution of Path Equivalence
CWE-706: Use of Incorrectly-Resolved Name or Reference

CAPEC

References (17)

URL	Tag	Source
https://github.com/opencontainers/runc/pull/2190	Issue Tracking
https://github.com/opencontainers/runc/releases	Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html	Mailing List
https://security-tracker.debian.org/tracker/CVE-2019-19921	Third Party Advisory

URL	Date	SRC

URL	Date	SRC
https://github.com/opencontainers/runc/issues/2197	2023-11-07

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0688	2023-11-07
https://access.redhat.com/errata/RHSA-2020:0695	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ	2023-11-07
https://security.gentoo.org/glsa/202003-21	2023-11-07
https://usn.ubuntu.com/4297-1	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-19921	2020-04-28
https://bugzilla.redhat.com/show_bug.cgi?id=1796107	2020-04-28

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				<= 0.1.1 Search vendor "Linuxfoundation" for product "Runc" and version " <= 0.1.1"		-		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc1		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc2		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc3		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc4		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc5		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc6		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc7		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc8		Affected
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				1.0.0 Search vendor "Linuxfoundation" for product "Runc" and version "1.0.0"		rc9		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0"		-		Affected
Opensuse Search vendor "Opensuse"		Leap Search vendor "Opensuse" for product "Leap"				15.1 Search vendor "Opensuse" for product "Leap" and version "15.1"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.10"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.1 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.1"		-		Affected
Redhat Search vendor "Redhat"		Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform"				4.2 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.2"		-		Affected