Container Escape via FD Leak in runc 1.1.11 & Prior
CVE-2024-21626 Published on January 31, 2024

runc container breakout through process.cwd trickery and leaked fds
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

Github Repository Github Repository NVD

Vulnerability Analysis

CVE-2024-21626 is exploitable with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. Public availability of a proof of concept (POC) exploit exists for CVE-2024-21626. The potential impact of an exploit of this vulnerability is considered to be very high.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
CHANGED
Confidentiality Impact:
HIGH
Integrity Impact:
HIGH
Availability Impact:
HIGH

Weakness Types

What is a File descriptor leak Vulnerability?

A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors. When a new process is forked or executed, the child process inherits any open file descriptors. When the child process has fewer privileges than the parent process, this might introduce a vulnerability if the child process can access the file descriptor but does not have the privileges to access the associated file.

CVE-2024-21626 has been classified to as a File descriptor leak vulnerability or weakness.

Exposure of Resource to Wrong Sphere

The product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.


Products Associated with CVE-2024-21626

You can be notified by email with stack.watch whenever vulnerabilities like CVE-2024-21626 are published in these products:

Amazon Aws
 
Linux Foundation Runc
 
Fedora Project Fedora
 

Affected Versions

opencontainers runc Version >=v1.0.0-rc93, < 1.1.12 is affected by CVE-2024-21626

Exploit Probability

EPSS
4.54%
Percentile
89.01%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.