CVE-2024-21626

runc container breakout through process.cwd trickery and leaked fds

Severity Score

8.6

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

runc es una herramienta CLI para generar y ejecutar contenedores en Linux de acuerdo con la especificación OCI. En runc 1.1.11 y versiones anteriores, debido a una fuga interna de un descriptor de archivo, un atacante podría provocar que un proceso contenedor recién generado (de runc exec) tuviera un directorio de trabajo en el espacio de nombres del sistema de archivos del host, lo que permitiría un escape del contenedor al otorgar acceso. al sistema de archivos del host ("ataque 2"). El mismo ataque podría ser utilizado por una imagen maliciosa para permitir que un proceso contenedor obtenga acceso al sistema de archivos del host a través de runc run ("ataque 1"). Las variantes de los ataques 1 y 2 también podrían usarse para sobrescribir archivos binarios de host semiarbitrarios, permitiendo escapes completos de contenedores ("ataque 3a" y "ataque 3b"). runc 1.1.12 incluye parches para este problema.

A file descriptor leak issue was found in the runc package. While a user performs `O_CLOEXEC` all file descriptors before executing the container code, the file descriptor is open when performing `setcwd(2)`, which means that the reference can be kept alive in the container by configuring the working directory to be a path resolved through the file descriptor. The non-dumpable bit is unset after `execve`, meaning there are multiple ways to attack this other than bad configurations. The only way to defend against it entirely is to close all unneeded file descriptors.

runc versions 1.1.11 and below, as used by containerization technologies such as Docker engine and Kubernetes, are vulnerable to an arbitrary file write vulnerability. Due to a file descriptor leak it is possible to mount the host file system with the permissions of runc (typically root). Successfully tested on Ubuntu 22.04 with runc 1.1.7-0ubuntu1~22.04.1 using Docker build.

*Credits: N/A

CVSS Scores

NISTv3.1 8.6

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-12-29 CVE Reserved
2024-01-31 CVE Published
2024-02-01 First Exploit
2024-02-19 EPSS Updated
2024-08-19 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date

CWE

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-403: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-668: Exposure of Resource to Wrong Sphere

CAPEC

References (23)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2024/02/01/1	Mailing List
http://www.openwall.com/lists/oss-security/2024/02/02/3	Mailing List
https://github.com/opencontainers/runc/releases/tag/v1.1.12	Release Notes
https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL	Mailing List

URL	Date	SRC
https://github.com/NitroCao/CVE-2024-21626	2024-02-06
https://github.com/cdxiaodong/CVE-2024-21626	2024-02-02
https://github.com/KubernetesBachelor/CVE-2024-21626	2024-04-11
https://github.com/Wall1e/CVE-2024-21626-POC	2024-02-02
https://github.com/V0WKeep3r/CVE-2024-21626-runcPOC	2024-02-05
https://github.com/zpxlz/CVE-2024-21626-POC	2024-02-01
https://github.com/zhangguanzhang/CVE-2024-21626	2024-02-02
https://github.com/laysakura/CVE-2024-21626-demo	2024-02-02
https://github.com/Sk3pper/CVE-2024-21626	2024-08-21
https://github.com/abian2/CVE-2024-21626	2024-06-03
https://github.com/FlojBoj/CVE-2024-21626	2024-09-02
http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html	2024-08-19
https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv	2024-08-19

URL	Date	SRC
https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf	2024-02-19

URL	Date	SRC
https://access.redhat.com/security/cve/CVE-2024-21626	2024-07-17
https://bugzilla.redhat.com/show_bug.cgi?id=2258725	2024-07-17
https://access.redhat.com/security/vulnerabilities/RHSB-2024-001	2024-07-17

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Linuxfoundation Search vendor "Linuxfoundation"		Runc Search vendor "Linuxfoundation" for product "Runc"				< 1.1.12 Search vendor "Linuxfoundation" for product "Runc" and version " < 1.1.12"		-		Affected
Fedoraproject Search vendor "Fedoraproject"		Fedora Search vendor "Fedoraproject" for product "Fedora"				39 Search vendor "Fedoraproject" for product "Fedora" and version "39"		-		Affected