RHSB-2024–001 Leaky Vessels — runc — (CVE-2024–21626)

Discover how to mitigate a critical vulnerability in Red Hat's runc component (CVE-2024-21626) that allows container escapes, potentially giving unauthorized host access.

Introduction

Red Hat has identified a critical vulnerability in runc, a key component of container infrastructure, which facilitates container escapes, potentially allowing attackers unauthorized access to the host operating system from within a container. Exploitation methods include deceiving users into using or constructing a malicious image, or executing a malevolent process within the container with runc exec. This vulnerability, designated CVE-2024-21626, has been classified with an important severity impact.

Affected Red Hat products include:

Red Hat OpenShift Container Platform versions 4 and 3.11

Red Hat Enterprise Linux versions 7, 8, and 9

Additional products running on Red Hat Enterprise Linux and RHEL CoreOS

Notably, this issue also extends to product containers based on RHEL or UBI container images and product drawing packages from the RHEL channel.

Related vulnerabilities, CVE-2024--23651, CVE-2024--23652, and CVE-2024--23653, found in moby buildkit, are under investigation.

Technical Details

The vulnerability stems from how runc handles the WORKDIR and RUN directives in Dockerfiles, leading to File Descriptor Leak and Path Traversal attacks. This flaw enables containers to bind to directories on the host system, thereby gaining unauthorized access to host resources.

The issue arises from runc's processing of the WORKDIR directive, allowing attackers to exploit the directive to access privileged file descriptors and manipulate host system files. This vulnerability significantly increases the risk of container breakout and host system compromise.

Mitigation

To mitigate this threat, Red Hat advises:

Utilizing SELinux in targeted enforcing mode, as shipped with RHEL and OpenShift, to prevent container processes from accessing host content.

Inspecting Dockerfiles for suspicious RUN and WORKDIR directives.

Limiting access to trusted container images to ward off unauthorized access and attacks.

Affected Products

Red Hat urges customers with the affected product versions to update their systems as soon as updates are made available. Immediate application of these updates and enabling appropriate mitigations is strongly recommended.

Red Hat Enterprise Linux 7: Update for runc (TBD)

Red Hat Enterprise Linux 8: Updates for container-tools:4.0/runc and container-tools:rhel8/runc (TBD)

Red Hat Enterprise Linux 9: runc update (RHSA-2024:0670)

Red Hat OpenShift Container Platform 4 & 3.11: Update for runc (TBD)

Updates and advisories will be posted as they become available.

Conclusion

In conclusion, the discovery of CVE-2024--21626 within the runc component highlights a significant vulnerability in the container ecosystem, underlining the critical importance of security within the rapidly evolving field of container technology. This vulnerability not only poses a di