All Posts
cve-2024-21626

Leaky Vessels: Docker and runc container breakout vulnerabilities (January 2024)

Age
2 years ago
Threat Information
MITRE ATT&CK Technique IDs
T1611
Request Demo
Summary

Snyk security researchers have identified four critical vulnerabilities, dubbed "Leaky Vessels," in Docker and runc container infrastructure components, which could allow attackers to escape containers and gain unauthorized access to the host operating system. These vulnerabilities, CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, affect widely used container engines and build tools, prompting Snyk to recommend immediate updates from relevant vendors. To aid in detecting exploit attempts, Snyk has released two open source tools: a runtime detection tool and a static analysis program. These tools serve as reference implementations and are intended to help identify potential exploits in container environments. Users are advised to monitor and update their systems promptly to mitigate these risks.

How BlueRock Helps

The "Leaky Vessels" vulnerabilities in Docker and runc allow attackers to escape from containers and gain unauthorized access to the host operating system. This is achieved through a container breakout technique, exploiting vulnerabilities in the container runtime. BlueRock's Container Capability Control effectively mitigates this threat by controlling the capabilities assigned to containers, thereby reducing the risk of unauthorized access to the host. Additionally, the exploitation of the runc vulnerability involves using a malicious image or Dockerfile to achieve privilege escalation. BlueRock's Container Runtime Drift Protection (Available 2024 Dec) provides protection against unauthorized changes to the container runtime environment, ensuring that the runtime state remains consistent with the expected configuration, thus preventing privilege escalation attempts. These mechanisms collectively help secure container environments against such vulnerabilities.

MITRE ATT&CK Techniques Inferred
  • T1611: Escape to Host: The article describes how the vulnerabilities, dubbed 'Leaky Vessels', allow an attacker to escape from a Docker container to the underlying host operating system. This indicates the use of a container breakout technique, specifically exploiting a vulnerability in the container runtime.
  • T1068: Exploitation for Privilege Escalation: The exploitation of the runc vulnerability (CVE-2024-21626) involves the use of a malicious image or Dockerfile to achieve the container escape. This demonstrates the use of 'Exploitation for Privilege Escalation' as the attacker exploits the vulnerability to gain elevated privileges on the host.
  • T1195: Supply Chain Compromise: The article mentions that the vulnerabilities can be exploited by running a malicious image or by building a container image using a malicious Dockerfile. This indicates the use of 'Supply Chain Compromise' to introduce the malicious Dockerfile or image into the build process.
  • T1584.002: Compromise Infrastructure: DNS Server: The exploitation process involves building a container image using a malicious Dockerfile or upstream image, which suggests the use of 'Build Misconfiguration' to exploit the vulnerabilities during the container build process.
  • T1005: Data from Local System: Once the attacker has gained access to the underlying host operating system, they could potentially access sensitive data such as credentials and customer information. This indicates the use of 'Data from Local System' to gather sensitive information from the compromised host.
  • T1592: Gather Victim Host Information: The article describes how the vulnerabilities were discovered and disclosed responsibly to the relevant parties, indicating a 'Vulnerability Disclosure' process.
Fact-Based Attack Chains

F1: Exploitation of CVE-2024-21626 via a malicious Dockerfile during the container build process, leading to host compromise.

  • Attacker crafts a malicious Dockerfile specifically designed to exploit CVE-2024-21626, focusing on manipulating the WORKDIR command. (Cited from: "building a container image using a malicious Dockerfile", "centered around the WORKDIR command", "CVE-2024-21626")
  • The victim, or an automated system like a CI/CD pipeline, initiates a container build process using this malicious Dockerfile on a system with a vulnerable runc version. (Cited from: "building a container image using a malicious Dockerfile", "container build tools")
    • BR-61: Container Runtime Socket Protection - This mechanism (Available 2024 Dec) is applicable because it protects the container runtime socket (e.g., Docker daemon socket) which is used to initiate build processes. It can prevent unauthorized or malicious build requests from reaching a vulnerable runtime.
    • BR-62: Linux/Host Drift Protection - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it ensures only trusted code is executed on the host initiating the build, potentially preventing the execution of a malicious build tool or script that uses the malicious Dockerfile.
    • BR-65: Container Host Drift Prevention - This mechanism (Future Mechanism for CVE-2024-23651) is applicable because it ensures only allow-listed processes can execute new or modified files on the container host (where the build might occur), potentially preventing the build process itself if it's unauthorized or involves untrusted components.
  • During the build, the vulnerable runc component improperly handles the WORKDIR instruction due to an order-of-operations flaw. (Cited from: "a vulnerability (CVE-2024-21626) that allows for an order-of-operations container breakout centered around the WORKDIR command")
  • This flaw is exploited, resulting in a container escape, granting the attacker unauthorized access to the underlying host operating system where the build is executed. (Cited from: "Exploitation of this vulnerability can result in container escape to the underlying host operating system.")
    • BR-54: Container Drift Protection (Binaries & Scripts) - This mechanism (Current Mechanism for CVE-2024-21626) is applicable because it prevents unauthorized executables and scripts from running inside the container during the build or after the escape, hindering the attacker's ability to execute commands on the host via the escaped process.
    • BR-66: Host FS Mount Control - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it ensures only approved host file systems can be mounted or accessed, directly countering the escape vector which relies on gaining access to the host filesystem via manipulated paths.
    • BR-70: Back-Link Directory Traversal - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because the escape involves manipulating the working directory to point outside the container's intended filesystem boundaries, which is a form of path traversal this mechanism aims to prevent.
    • BR-47: Container Capability Control - This mechanism (Available 2024 Oct, also Current for CVE-2024-23653) is applicable because limiting container capabilities (e.g., CAPSYSADMIN) can restrict the actions a container process can perform even if it partially escapes or gains access to host resources, potentially preventing full host compromise or the specific actions needed to leverage the escape.
    • BR-62: Linux/Host Drift Protection - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it prevents the execution of unauthorized code on the host itself, limiting what the attacker can do immediately after the escape.
    • BR-65: Container Host Drift Prevention - This mechanism (Future Mechanism for CVE-2024-23651) is applicable because it prevents the execution of unauthorized code on the host, limiting post-escape actions.
  • Once host access is gained, the attacker can potentially access sensitive data residing on the host system, such as credentials or customer information. (Cited from: "access whatever data was on the system, including sensitive data (credentials, customer info, etc.)")
    • BR-62: Linux/Host Drift Protection - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it prevents the execution of unauthorized discovery tools or scripts on the host that the attacker might use to find sensitive data.
    • BR-65: Container Host Drift Prevention - This mechanism (Future Mechanism for CVE-2024-23651) is applicable because it prevents the execution of unauthorized tools or scripts on the host used for data access or exfiltration.
  • The attacker may leverage the compromised host to launch subsequent attacks against other systems or resources. (Cited from: "launch further attacks.")
    • BR-55: Reverse Shell Protection - This mechanism (Current Mechanism for CVE-2024-23653) is applicable because it can prevent the attacker from establishing outbound command-and-control channels (like reverse shells) from the compromised host.
    • BR-62: Linux/Host Drift Protection - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it prevents the execution of unauthorized attack tools or lateral movement scripts on the compromised host.
    • BR-65: Container Host Drift Prevention - This mechanism (Future Mechanism for CVE-2024-23651) is applicable because it prevents the execution of unauthorized attack tools or lateral movement scripts on the compromised host.

F2: Exploitation of CVE-2024-21626 by running a malicious container image, leading to host compromise.

  • Attacker crafts or obtains a pre-built malicious container image designed to trigger the CVE-2024-21626 vulnerability upon execution, likely involving WORKDIR manipulation internally. (Cited from: "running a malicious image", "centered around the WORKDIR command", "CVE-2024-21626")
  • The victim runs this malicious container image on a host system utilizing a vulnerable version of runc. (Cited from: "running a malicious image", "systems running container engines")
    • BR-61: Container Runtime Socket Protection - This mechanism (Available 2024 Dec) is applicable because it protects the container runtime socket used to start containers. It could potentially block requests to run untrusted or malicious images based on policy.
    • BR-47: Container Capability Control - This mechanism (Available 2024 Oct, also Current for CVE-2024-23653) is applicable because enforcing strict capability controls when running containers can limit the potential impact even if a malicious image is run, preventing it from gaining unnecessary privileges required for the escape.
  • As the container starts or executes certain operations involving its working directory, the order-of-operations flaw in runc (CVE-2024-21626) is triggered. (Cited from: "a vulnerability (CVE-2024-21626) that allows for an order-of-operations container breakout centered around the WORKDIR command")
  • The vulnerability exploitation leads to a container breakout, providing the attacker with unauthorized access to the host operating system running the container. (Cited from: "Exploitation of this vulnerability can result in container escape to the underlying host operating system.")
    • BR-54: Container Drift Protection (Binaries & Scripts) - This mechanism (Current Mechanism for CVE-2024-21626) is applicable because it prevents the execution of unauthorized binaries or scripts dropped or executed by the malicious container after the escape.
    • BR-66: Host FS Mount Control - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it restricts access to the host filesystem, directly countering the escape mechanism that relies on accessing host paths.
    • BR-70: Back-Link Directory Traversal - This mechanism (Future Mechanism for CVE-2024-21626) is applicable as it prevents the path manipulation used to access the host filesystem.
    • BR-62: Linux/Host Drift Protection - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it prevents the execution of unauthorized code on the host itself, limiting what the attacker can do post-escape.
    • BR-65: Container Host Drift Prevention - This mechanism (Future Mechanism for CVE-2024-23651) is applicable because it prevents the execution of unauthorized code on the host, limiting post-escape actions.
    • BR-47: Container Capability Control - This mechanism (Available 2024 Oct, also Current for CVE-2024-23653) is applicable because limiting container capabilities can restrict the actions needed to successfully exploit the escape and gain meaningful access to the host.
  • The attacker proceeds to access sensitive information available on the compromised host. (Cited from: "access whatever data was on the system, including sensitive data (credentials, customer info, etc.)")
    • BR-62: Linux/Host Drift Protection - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it prevents the execution of unauthorized discovery tools or scripts on the host.
    • BR-65: Container Host Drift Prevention - This mechanism (Future Mechanism for CVE-2024-23651) is applicable because it prevents the execution of unauthorized tools or scripts on the host used for data access.
  • From the compromised host, the attacker may initiate further malicious activities or network attacks. (Cited from: "launch further attacks.")
    • BR-55: Reverse Shell Protection - This mechanism (Current Mechanism for CVE-2024-23653) is applicable because it can prevent the attacker from establishing outbound command-and-control channels.
    • BR-62: Linux/Host Drift Protection - This mechanism (Future Mechanism for CVE-2024-21626) is applicable because it prevents the execution of unauthorized attack tools or lateral movement scripts.
    • BR-65: Container Host Drift Prevention - This mechanism (Future Mechanism for CVE-2024-23651) is applicable because it prevents the execution of unauthorized attack tools or lateral movement scripts.
See Blue Rock In Action