RHSB-2024-001 Leaky Vessels - runc - (CVE-2024-21626)

Executive summary

Red Hat is aware of a vulnerability in a core container infrastructure component,  'runc', that allows container escapes. An attacker could use these container escapes to gain unauthorized access to the underlying host operating system from within the container. There are several methods in which an attacker could exploit this vulnerability. They can trick a user into using or building a malicious image or use a malicious process within the container that may be executed with 'runc exec'.

This issue is assigned CVE-2024-21626, rated with a severity impact of Important. 

The following Red Hat product versions are directly affected:

• Red Hat OpenShift Container Platform 4

• Red Hat OpenShift Container Platform 3.11 

• Red Hat Enterprise Linux 7

• Red Hat Enterprise Linux 8 

• Red Hat Enterprise Linux 9

Further, any Red Hat product that is supported on Red Hat Enterprise Linux, including RHEL CoreOS, is also potentially impacted. 

This includes the following: 

• Product containers that are based on RHEL or UBI container images. These images are updated regularly and the container health indicating whether a fix to this flaw is available can be seen in the Container Health Index, part of the Red Hat Container Catalog. In addition, any customer containers should be rebuilt when the base images are updated.

• Products that pull packages from the RHEL channel, including layered products such as Red Hat OpenShift Container Platform, Red Hat OpenStack Platform, Red Hat Virtualization.

Please ensure that the underlying RHEL 'runc' package is current in these product environments.

For more details on related vulnerabilities affecting Moby BuildKit, please refer to the following CVE pages: CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653.

Technical summary

When evaluating the 'WORKDIR' and 'RUN' directives in the 'Dockerfile', 'runc' is susceptible to a File Descriptor Leak attack and subsequent Path Traversal. Due to this weak control of provided paths, the container can be bound to other directories on the host system, allowing access to other resources on the host system.

Mitigation

Red Hat Enterprise Linux (RHEL) and OpenShift ships with SELinux in targeted enforcing mode, which prevents the container processes from accessing host content and mitigates this attack. Dockerfiles can be inspected on the 'RUN' and 'WORKDIR' directives to ensure that there are no escapes or malicious paths, which are an indication of compromise. Limiting access and only using trusted container images can help prevent unauthorized access and malicious attacks.

Technical details

This vulnerability is rooted in how 'runc' processes the 'WORKDIR' directive within Dockerfiles. When specifying the initial working directory for processes created during the 'build' or 'RUN' operations, 'runc' changes the directory using 'rchdir' before closing certain privileged host directory file descriptors. This oversight allows an attacker to manipulate the 'WORKDIR' directive, potentially specifying a privileged file descriptor via the '/proc/self/fd/' directory. Consequently, even after 'runc' closes the file descriptor during normal operations, it remains accessible, facilitating unauthorized access to sensitive host files and the creation of arbitrary files within the host filesystem. The way that this flaw handles 'WORKDIR' poses a significant security risk, enabling container breakout and potential compromise of the host operating system.

Updates for affected products

Red Hat customers running affected versions of these Red Hat products are strongly recommended to update as soon as errata are available. Customers are urged to apply the available updates immediately and enable the mitigations as appropriate.  

References

• https://thehackernews.com/2024/02/runc-flaws-enable-container-escapes.html

• https://aws.amazon.com/security/security-bulletins/AWS-2024-001/

• https://cloud.google.com/anthos/clusters/docs/security-bulletins#gcp-2024-005-gke

• https://snyk.io/blog/leaky-vessels-docker-runc-container-breakout-vulnerabilities/

• https://ubuntu.com/security/notices/USN-6619-1