Containers inherit breakout bugs in Linux tools

A number of container environments are vulnerable to container escape, due to bugs in two Linux-based container tools, runc and BuildKit.

Runc is a command line interface (CLI) tool for spawning and running containers on Linux, and is in use in several environments, including Docker, AWS, Kubernetes and more.

An advisory, posted to the OSS-Sec mailing list, states that CVE-2024-21626 is a high-severity “internal file descriptor leak” that has “several exploit methods which allow for full container breakouts”.

“Aside from only running trusted images and never using "runc exec" on containers, there are no generic workarounds for the issue and so users are strongly advised to patch their installations as soon as possible”, the advisory states.

Snyk, which is credited with discovering the bug, has dubbed the bug Leaky Vessels, and explained in a blog post that “Once an attacker gains access to the underlying host operating system, they could potentially access whatever data was on the system, including sensitive data (credentials, customer info, etc.), and launch further attacks.”

Runc was patched on January 31.

BuildKit is a Docker backend, and is affected by CVE-2024-23651, a race condition; CVE-2024-23653, a bug in BuildKit’s GRPC SecurityMode Privilege Check; and CVE-2024-23652, a “build-time container teardown arbitrary delete” bug.

The maintainers of Runc have released version 1.1.12 to fix its bug, but downstream projects also have to roll the update into their builds.

So far, according to Snyk, fixes have been rolled out for containernerd (Version 1.6.28), Docker (with BuildKit and Moby updates as well as the updated runc), with runc updated in GCP, Ubuntu, and AWS.