Safety researchers have discovered 4 vulnerabilities in Docker elements that might permit attackers to entry host working methods from inside containers. A type of vulnerabilities is in runc, a command-line instrument for spawning and operating containers on Linux that underpins a number of container engines, not simply Docker.
The vulnerabilities had been discovered by Rory McNamara, a researcher with cloud safety agency Snyk who collectively named them “Leaky Vessels” as a result of they permit breaking the important isolation layer between containers and the host working system. “These container escapes may permit an attacker to realize unauthorized entry to the underlying host working system from throughout the container and probably allow entry to delicate information (credentials, buyer information, and many others.), and launch additional assaults, particularly when the entry gained contains superuser privileges,” Snyk stated in a weblog put up.
Vulnerability offers a number of assault paths from runc
Runc will be seen because the plumbing that ties most container administration engines equivalent to Docker, containerd, Podman, and CRI-O to the Linux kernel’s sandboxing options: management teams, namespaces, seccomp, apparmor, and so forth. It helps a number of instructions for beginning, stopping, suspending, pausing, and itemizing containers, in addition to executing processes inside containers.
The runc vulnerability discovered by McNamara, tracked as CVE-2024-21626, stems from a file descriptor being inadvertently leaked internally inside runc, together with a deal with to the host’s /sys/fs/cgroup. This may be exploited in a number of methods, one discovered by McNamara and three others discovered by runc maintainers.
“If the container was configured to have course of.cwd set to /proc/self/fd/7/ (the precise fd can change relying on file opening order in runc), the ensuing pid1 course of can have a working listing within the host mount namespace and thus the spawned course of can entry the complete host filesystem,” the runc maintainers warn in an advisory. “This alone just isn’t an exploit towards runc. Nonetheless, a malicious picture may make any innocuous-looking non-/ path a symlink to /proc/self/fd/7/ and thus trick a consumer into beginning a container whose binary has entry to the host filesystem.”
This exploit targets the runc run command, which is used to create and begin a brand new container from a picture. Many containers are began from photographs downloaded from public repositories equivalent to Docker Hub and malicious photographs have been uploaded to the registry over time.
