CVE-2021-43784

Overflow in netlink bytemsg length field allows attacker to override netlink-based container configuration

Severity Score

5.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug.

runc es una herramienta CLI para generar y ejecutar contenedores en Linux según la especificación OCI. En runc, netlink es usado internamente como un sistema de serialización para especificar la configuración relevante del contenedor a la porción "C" del código (responsable de la configuración del espacio de nombres basado en los contenedores). En todas las versiones de runc anteriores a la 1.0.3, el codificador no manejaba la posibilidad de un desbordamiento de enteros en el campo de longitud de 16 bits para el tipo de atributo de matriz de bytes, lo que significaba que un atributo de matriz de bytes suficientemente grande y malicioso podía provocar el desbordamiento de la longitud y que el contenido del atributo fuera analizado como mensajes netlink para la configuración del contenedor. Esta vulnerabilidad requiere que el atacante tenga cierto control sobre la configuración del contenedor y le permitiría saltarse las restricciones de espacio de nombres del contenedor simplemente añadiendo su propia carga útil de netlink que deshabilita todos los espacios de nombres. Los principales usuarios afectados son aquellos que permiten la ejecución de imágenes no confiables con configuraciones no confiables en sus máquinas (como en el caso de la infraestructura de nube compartida). runc versión 1.0.3 contiene una corrección para este bug. Como solución, puede intentarse deshabilitar las rutas de espacios de nombres no confiables de su contenedor. Tenga en cuenta que las rutas de espacios de nombres no confiables permitirían al atacante deshabilitar las protecciones de espacios de nombres por completo incluso en ausencia de este bug

An integer overflow vulnerability was found in runC. This issue occurs due to an incorrect netlink encoder handling the possibility of an integer overflow in the 16-bit length field for the byte array attribute type. This flaw allows an attacker who can include a large enough malicious byte array attribute to bypass the namespace restrictions of the container by simply adding their netlink payload, which disables all namespaces.

*Credits: N/A

CVSS Scores

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

Low

Attack Vector

Network

Attack Complexity

Medium

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2021-11-16 CVE Reserved
2021-12-06 CVE Published
2024-02-28 EPSS Updated
2024-10-15 CVE Updated
2024-10-15 First Exploit
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-190: Integer Overflow or Wraparound

CAPEC

References (9)

URL	Tag	Source
https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html	Mailing List

URL	Date	SRC
https://bugs.chromium.org/p/project-zero/issues/detail?id=2241	2024-10-15

URL	Date	SRC
https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554	2024-02-19
https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae	2024-02-19
https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed	2024-02-19
https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f	2024-02-19

URL	Date	SRC
https://lists.debian.org/debian-lts-announce/2021/12/msg00005.html	2024-02-19
https://access.redhat.com/security/cve/CVE-2021-43784	2023-11-07
https://bugzilla.redhat.com/show_bug.cgi?id=2029439	2023-11-07

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				< 1.0.3 Search vendor "Linuxfoundation" for product "Runc" and version " < 1.0.3"		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				9.0 Search vendor "Debian" for product "Debian Linux" and version "9.0"		-		Affected