Leaky Vessels: Docker and runc container breakout vulnerabilities (January 2024)
Snyk security researchers have identified four critical vulnerabilities, dubbed "Leaky Vessels," in Docker and runc container infrastructure components, which could allow attackers to escape containers and gain unauthorized access to the host operating system. These vulnerabilities, CVE-2024-21626, CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, affect widely used container engines and build tools, prompting Snyk to recommend immediate updates from relevant vendors. To aid in detecting exploit attempts, Snyk has released two open source tools: a runtime detection tool and a static analysis program. These tools serve as reference implementations and are intended to help identify potential exploits in container environments. Users are advised to monitor and update their systems promptly to mitigate these risks.
The "Leaky Vessels" vulnerabilities in Docker and runc allow attackers to escape from containers and gain unauthorized access to the host operating system. This is achieved through a container breakout technique, exploiting vulnerabilities in the container runtime. BlueRock's Container Capability Control effectively mitigates this threat by controlling the capabilities assigned to containers, thereby reducing the risk of unauthorized access to the host. Additionally, the exploitation of the runc vulnerability involves using a malicious image or Dockerfile to achieve privilege escalation. BlueRock's Container Runtime Drift Protection (Available 2024 Dec) provides protection against unauthorized changes to the container runtime environment, ensuring that the runtime state remains consistent with the expected configuration, thus preventing privilege escalation attempts. These mechanisms collectively help secure container environments against such vulnerabilities.
- T1611: Escape to Host: The article describes how the vulnerabilities, dubbed 'Leaky Vessels', allow an attacker to escape from a Docker container to the underlying host operating system. This indicates the use of a container breakout technique, specifically exploiting a vulnerability in the container runtime.
- T1068: Exploitation for Privilege Escalation: The exploitation of the runc vulnerability (CVE-2024-21626) involves the use of a malicious image or Dockerfile to achieve the container escape. This demonstrates the use of 'Exploitation for Privilege Escalation' as the attacker exploits the vulnerability to gain elevated privileges on the host.
- T1195: Supply Chain Compromise: The article mentions that the vulnerabilities can be exploited by running a malicious image or by building a container image using a malicious Dockerfile. This indicates the use of 'Supply Chain Compromise' to introduce the malicious Dockerfile or image into the build process.
- T1584.002: Compromise Infrastructure: DNS Server: The exploitation process involves building a container image using a malicious Dockerfile or upstream image, which suggests the use of 'Build Misconfiguration' to exploit the vulnerabilities during the container build process.
- T1005: Data from Local System: Once the attacker has gained access to the underlying host operating system, they could potentially access sensitive data such as credentials and customer information. This indicates the use of 'Data from Local System' to gather sensitive information from the compromised host.
- T1592: Gather Victim Host Information: The article describes how the vulnerabilities were discovered and disclosed responsibly to the relevant parties, indicating a 'Vulnerability Disclosure' process.
