RunC Flaws in Container and Allowing Attackers to Host Authority

There is a range of threat actors who exploit a myriad of security vulnerabilities to disclose the RunC, one of the prominent command line tools. They have a specific purpose to do so. It includes- disappear the bounds of the container & point follow-on attacks.

The vulnerabilities that were traced namely-

  • CVE-2024-21626
  • CVE-2024-23651
  • CVE-2024-23652
  • CVE-2024-23653

One of the interesting facts about these flaws is that the Cybersecurity Vendor Snyk dubbed them Leaky Vessels.

As per the report that was shared with The Hacker News, "These container escapes could allow an attacker to acquire unauthorized access to the underlying host operating system from within the container and potentially permit access to customers’ confidential data and launch further attacks, especially when the access gained includes superuser privileges."

In such a scenario, the RunC tool sounds like a bargain. This tool originates and runs containers on Linux. It was developed in the form of Rouster, and later on, revolved into a specific open-source library in the year 2015.

Let’s have a glance at the descriptions given about each of the vulnerabilities-

  • CVE-2024-21626 (CVSS score: 8.6)- unC process. cwd and leaked fds container breakout
  • CVE-2024-23651 (CVSS score: 8.7) -  Build-time race condition container breakout
  • CVE-2024-23652 (CVSS score: 10.0) - Buildkit Build-time Container Teardown Arbitrary Delete
  • CVE-2024-23653 (CVSS score: 9.8) - GRPC SecurityMode privilege check: Build-time container breakout

You will surely be surprised to know that one of the most dreadful flaws is- CVE-2024-21626. As a result, it escaped a container that was completely focused on the  `WORKDIR` command.

In the words of Snyk, "This could occur by running a malicious image or by forming a container image with the use of a malicious Dockerfile or upstream image.”

Individuals are unable to find any valid evidence regarding the discovery of the shortcomings and exploitation. But, they made efforts to address all sorts of issues in RunC version 1.1.12. The amazing thing is that this tool was released shortly in November 2023.

As per the statement given by the company, “These flaws impact widely used low-level container engine constituents and container build tools. As a result,  Snyk highly recommends that users check for updates from any vendors offering their container runtime environments, including Docker, Kubernetes vendors, cloud container services, and open-source communities.”

In the words of a rouster who was working in an advisory independently, “There is a possibility of the exploitation of the flaws only when the user is actively engaged with malicious content and also implements it not only into the formation procedure but also to run a container from a rogue image.

Docker said, “Potential impacts involve illegal access to the host filesystem, compromising the integrity of the build cache, and, in the case of CVE-2024-21626, a scenario that could lead to full container escape.”

One of the interesting facts is that Amazon Web Services (AWS) and Google Cloud have also played a crucial role in releasing their own alerts that urge a range of customers to take suitable actions when required.

In 2019, in February, RunC maintainers addressed a few more exclusive high-severity flaws namely-CVE-2019-5736, CVSS score: 8.6. During this period, an attacker broke out of the container and also acquired root access to the host.

One of the most surprising things is that Cloud and container security weaknesses are continuously generating an attack risk. For this organizations have begun offering additional permissions as well as administrative special rights. It allows them to account meanwhile the beginning of the setup process. Apart from this, it is responsible for leaving behind misconfiguration along with the privilege escalation chances for attackers.

According to Sysdig's Cloud-Native Security and Usage Report of 2024, “ This practice generates so many risks when a majority of severe cloud security incidents with material impact are tied to the failed management of identities, access, and privileges. It's often the initial attack vector in an attack chain, and this identity compromise inevitably leads to application abuse, system compromise, or data exfiltration."