A set of four vulnerabilities in container engine components has been discovered by researchers, who have named them “Leaky Vessels.” Three of these vulnerabilities allow attackers to break out of containers and execute malicious actions on the underlying host system.
The most pressing vulnerability, designated as CVE-2024-21626, affects runC, the lightweight container runtime for Docker and other container environments. It has a severity score of 8.6 out of 10 on the CVSS scale. According to Rory McNamara, a staff security researcher at Snyk, the runC vulnerability enables container escape at both build-time and run-time of the container. The worst-case scenario is that an attacker with unauthorized access to an underlying host operating system could potentially access anything else running on the same host, including key credentials that could be used to launch further attacks.
The other three vulnerabilities affect BuildKit, the default container image building toolkit for Docker. One of them (CVE-2024-23651) involves a race condition related to how cache layers are mounted during runtime. Another (CVE-2024-23653) affects a security model in BuildKit’s remote procedure call protocol, while the third vulnerability (CVE-2024-23652) is a file delete flaw also in BuildKit. Snyk, which discovered the flaws and reported them to Docker, has advised organizations to check for updates from any vendors providing their container runtime environments, including Docker, Kubernetes vendors, cloud container services, and open-source communities.
Two of the Docker BuildKit vulnerabilities (CVE-2024-23651 and CVE-2024-23653) are build-time only escapes, while the final Docker vulnerability (CVE-2024-23652) is an arbitrary host file delete.
The growing problem of container vulnerabilities in enterprise organizations has been highlighted by recent studies. A study conducted by Sysdig last year revealed that 87% of container images in production have at least one high or critical severity vulnerability. The rush by organizations to deploy cloud applications without paying appropriate attention to security issues has been identified as a primary reason for the high percentage of vulnerabilities.
Research by Rezilion in 2023 also found hundreds of Docker container images containing vulnerabilities that standard vulnerability detection and software composition analysis tools were unable to detect. As a result, perceptions around container security have shifted, with a survey by D-Zone showing that only 51% of respondents described containerization as making their applications more secure, compared with 69% in 2021. This indicates a decrease in perceived security benefits from containerization.
According to McNamara, the four vulnerabilities discovered by Snyk are relatively simple to exploit and typically involve less than a 30-line Dockerfile. However, a high access requirement is necessary to exploit the flaws. To do so, an attacker would need to be able to run an arbitrary container on the target, build an arbitrary container on the target, or compromise an upstream container or cause a victim system to use a controlled upstream container. Notably, the vulnerabilities are not remotely executable except in the sense that Kubernetes and similarly affected environments are network accessible.
In conclusion, the discovery of these vulnerabilities and the potential impact on containerized applications is a clear reminder of the need for organizations to prioritize the security of their container environments. With high percentages of container images in production found to have vulnerabilities, it is essential for organizations to stay updated on security patches and actively monitor their container environments for potential threats.