Malicious containers

Four vulnerabilities collectively called “Leaky Vessels” allow hackers to escape containers and access data on the underlying host operating system.

The flaws were discovered by Snyk security researcher Rory McNamara in November 2023, who reported them to impacted parties for fixing.

Snyk has found no signs of active exploitation of the Leaky Vessels flaws in the wild, but the publicity could change the exploitation status, so all impacted system admins are recommended to apply the available security updates as soon as possible.

Escaping containers

Containers are applications packaged into a file that contains all the runtime dependencies, executables, and code required to run an application. These containers are executed by platforms like Docker and Kubernetes that run the application in a virtualized environment isolated from the operating system.

Container escape occurs when an attacker or a malicious application breaks out of the isolated container environment and gains unauthorized access to the host system or other containers.

Snyk team has found four vulnerabilities collectively called “Leaky Vessels” that impact the runc and Buildkit container infrastructure and build tools, potentially allowing attackers to perform container escape on various software products.

Demonstration of Leaky Vessels exploit to access data on host
Demonstration of Leaky Vessels exploit to access data on host
Source: Snyk

As runc or Buildkit are used by a wide range of popular container management software, such as Docker and Kubernetes, the exposure to attacks becomes far more significant.

The Leaky Vessels flaws are summarized below:

  • CVE-2024-21626: Bug stemming from an order-of-operations flaw with the WORKDIR command in runc. It allows attackers to escape the isolated environment of the container, granting unauthorized access to the host operating system and potentially compromising the entire system.
  • CVE-2024-23651: A race condition within Buildkit’s mount cache handling leading to unpredictable behavior, potentially allowing an attacker to manipulate the process for unauthorized access or to disrupt normal container operations.
  • CVE-2024-23652: Flaw allowing arbitrary deletion of files or directories during Buildkit’s container teardown phase. It could lead to denial of service, data corruption, or unauthorized data manipulation.
  • CVE-2024-23653: This vulnerability arises from inadequate privilege checks in Buildkit’s GRPC interface. It could permit attackers to execute actions beyond their permissions, leading to privilege escalation or unauthorized access to sensitive data.

Impact and remediation

Buildkit and runc are widely used by popular projects like Docker and multiple Linux distributions.

Due to this, the patching of the “Leaky Vessels” vulnerabilities involved coordinated actions among the security research team at Snyk, the maintainers of the affected components (runc and BuildKit), and the broader container infrastructure community.

On January 31, 2024, Buildkit fixed the flaws with version 0.12.5, and runc addressed the security issue impacting it on version 1.1.12.

Docker released version 4.27.0 on the same day, incorporating the secured versions of the components in its Moby engine, with versions 25.0.1 and 24.0.8.

Amazon Web ServicesGoogle Cloud, and Ubuntu also published relevant security bulletins, guiding users through the appropriate steps to resolve the flaws in their software and services.

Finally, CISA also published an alert urging cloud system admins to take the appropriate action to secure their systems from potential exploitation.

Source: www.bleepingcomputer.com