A cloud security firm has discovered four vulnerabilities in Docker components that could allow attackers to gain access to the host operating system from within containers. The researcher who found these vulnerabilities, Rory McNamara, has named them “Leaky Vessels” because they compromise the critical isolation layer between containers and the host operating system.
The most concerning vulnerability is in runc, a command-line tool for spawning and running containers on Linux. Runc underpins multiple container engines, not just Docker. This means that the impact of these vulnerabilities extends beyond just the Docker platform.
According to the security firm Snyk, these container escapes could allow an attacker to gain unauthorized access to the underlying host operating system from within the container. This unauthorized access could potentially lead to the exposure of sensitive data such as credentials and customer information. It could also provide attackers with the ability to launch further attacks, especially if the access gained includes superuser privileges.
Runc can be viewed as the plumbing that ties most container management engines, such as Docker, containerd, Podman, and CRI-O, to the Linux kernel’s sandboxing features. It supports multiple commands for managing containers and executing processes inside containers.
The vulnerability in runc, known as CVE-2024-21626, originates from a file descriptor being inadvertently leaked internally within runc, including a handle to the host’s /sys/fs/cgroup. This flaw can be exploited in multiple ways, one of which was found by McNamara, and three others were identified by runc maintainers.
The runc maintainers issued an advisory warning that if a container is configured to have a specific setting, the resulting process in that container will have access to the entire host filesystem. This allows a malicious image to trick a user into starting a container whose binary has access to the host filesystem.
This particular exploit targets the runc run command, which is used to create and start a new container from an image. Given that many containers are started from images downloaded from public repositories such as Docker Hub, the potential for malicious images to be uploaded to these repositories is a serious concern.
The impact of these vulnerabilities in runc is not limited to Docker, as it affects multiple container management engines. As such, securing these vulnerabilities is crucial for the broader container ecosystem.
Overall, the “Leaky Vessels” vulnerabilities pose a significant threat to the security of containerized environments, and the discovery of these flaws underscores the ongoing need for robust security measures and constant vigilance in the containerization space. Organizations that rely on container technologies should be diligent in applying patches and updates to mitigate the risk of exploitation. Additionally, container image hygiene and validation practices are essential for preventing the deployment of malicious images that could exploit these vulnerabilities.