CVE-2023-27561
runc: volume mount race condition (regression of CVE-2019-19921)
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.
A flaw was found in runc. An attacker who controls the container image for two containers that share a volume can race volume mounts during container initialization by adding a symlink to the rootfs that points to a directory on the volume.
It was discovered that runC incorrectly made /sys/fs/cgroup writable when in rootless mode. An attacker could possibly use this issue to escalate privileges. It was discovered that runC incorrectly performed access control when mounting /proc to non-directories. An attacker could possibly use this issue to escalate privileges. It was discovered that runC incorrectly handled /proc and /sys mounts inside a container. An attacker could possibly use this issue to bypass AppArmor, and potentially SELinux.
CVSS Scores
SSVC
- Decision:Track*
Timeline
- 2023-03-03 CVE Reserved
- 2023-03-03 CVE Published
- 2024-12-06 CVE Updated
- 2024-12-06 First Exploit
- 2025-04-19 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-41: Improper Resolution of Path Equivalence
- CWE-706: Use of Incorrectly-Resolved Name or Reference
CAPEC
References (11)
| URL | Tag | Source |
|---|---|---|
| https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334 | Issue Tracking | |
| https://github.com/opencontainers/runc/issues/3751 | Issue Tracking | |
| https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html | Mailing List |
|
| URL | Date | SRC |
|---|---|---|
| https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9 | 2024-12-06 |
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Linuxfoundation Search vendor "Linuxfoundation" | Runc Search vendor "Linuxfoundation" for product "Runc" | < 1.1.5 Search vendor "Linuxfoundation" for product "Runc" and version " < 1.1.5" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Openshift Container Platform Search vendor "Redhat" for product "Openshift Container Platform" | 4.0 Search vendor "Redhat" for product "Openshift Container Platform" and version "4.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux" | 9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0" | - |
Affected
| ||||||
| Debian Search vendor "Debian" | Debian Linux Search vendor "Debian" for product "Debian Linux" | 10.0 Search vendor "Debian" for product "Debian Linux" and version "10.0" | - |
Affected
| ||||||