Service Notices
RunC Container Escape Vulnerability (CVE-2024-21626)
Feb 02, 2024 GMT+08:00
I. Overview
The RunC community has recently released a new runC version that fixed a high-risk container escape vulnerability (CVE-2024-21626). Attackers can exploit internal file descriptor leakage to set the container process's working directory or command path as the file descriptor's parent directory path and access any file on the host, escaping the container.
RunC is a lightweight container running tool implemented based on the OCI standard. It is a core component of container software such as Docker, Containerd, and K8s. If you are a runC user, check your runC versions and implement timely security hardening.
Reference
https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
II. Severity
Severity: important
(Severity: low, moderate, important, and critical)
III. Affected Products
Affected versions:
1.0.0-rc93 <= runC <= 1.1.11
Secure versions:
runC 1.1.12
IV. Vulnerability Handling
This vulnerability has been fixed in the latest official version. If your service version falls into the affected range, upgrade it to the secure version.
https://github.com/opencontainers/runc/releases/tag/v1.1.12
The official mitigation measures are as follows (evaluate the impact on services before implementation):
1. Set WORKDIR of the container to /.
2. Allow users to run only trusted images.
3. Do not run exec.
Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.
Huawei Cloud Host Security Service (HSS) enterprise or higher editions have the emergency vulnerability scanning feature that can detect the runC container escape vulnerability. They also have HIPS detection rules in their intrusion detection feature. An alarm is triggered when an attacker escapes a container by exploiting this vulnerability. For details, see https://support.huaweicloud.com/intl/en-us/usermanual-hss2.0/hss_01_0412.html.
Note: If the Linux system is used, emergency vulnerability scanning is supported by HSS agent version 3.2.9 or later.