Leaky Vessels container escape flaw in Docker and runc container
Four security vulnerabilities, collectively named "Leaky Vessels," have been identified, which could enable hackers to break out of containerized environments and gain access to data stored on the host operating system.
In November 2023, Snyk security researcher Rory McNamara discovered these flaws and notified the affected entities for remediation.
To date, there have been no reported instances of these "Leaky Vessels" vulnerabilities being exploited in the wild. However, given the increased attention, there's a possibility for the exploitation landscape to change, prompting a recommendation for system administrators to promptly implement the provided security patches.
Understanding Container Escapes Containers encapsulate applications along with their dependencies, executables, and code into a single file for execution in a virtualized environment, ensuring isolation from the host OS. Platforms such as Docker and Kubernetes are used to manage these containers. A container escape occurs when an attacker or malicious code breaches this isolation, accessing the host system or other containers, thus compromising security.
The "Leaky Vessels" vulnerabilities discovered by the Snyk team affect runc and Buildkit, tools integral to container infrastructure and building processes, opening the door for potential container escapes across various applications.
- CVE-2024-21626: This vulnerability is due to an order-of-operations issue with runc's WORKDIR command, enabling attackers to bypass container isolation and gain unauthorized access to the host OS.
- CVE-2024-23651: A race condition in Buildkit's mount cache handling could lead to unpredictable outcomes, potentially allowing attackers to alter processes for unauthorized access or to interfere with container operations.
- CVE-2024-23652: This flaw permits the arbitrary deletion of files or directories during Buildkit's container teardown, which could result in denial of service, data loss, or unauthorized data alteration.
- CVE-2024-23653: Stemming from insufficient privilege verification in Buildkit's GRPC interface, this vulnerability could allow attackers to perform actions beyond their permissions, potentially enabling privilege escalation or unauthorized access to sensitive information.
Given runc and Buildkit's widespread use in popular container management systems like Docker and Kubernetes, the scope for potential exploitation is notably broad, underscoring the urgency for system administrators to secure their environments against these vulnerabilities.