Teacher
Professional
- Messages
- 2,670
- Reaction score
- 775
- Points
- 113
The discovery calls into question the security of container environments.
Snyk has discovered 4 vulnerabilities in virtualization systems, collectively known as Leaky Vessels. The flaws allow an attacker to go beyond isolated containers and gain access to data on the host operating system.
Containers are applications packaged in a file along with all the dependencies, executables, and code needed to run them. They run on platforms like Docker and Kubernetes in a virtualized environment isolated from the operating system. A container escape vulnerability occurs when an attacker or malicious application overcomes the isolation of the environment and gains unauthorized access to the host system or other containers.
The detected vulnerabilities affect the infrastructure and tools for building runc and Buildkit containers, which potentially allows an attacker to carry out "exit container" attacks on various software products. Since runc and Buildkit are used in a wide range of popular container management programs, such as Docker and Kubernetes, the risk of attacks increases significantly.
Demonstration of using Leaky Vessels to access data on the host
Leaky Vessels vulnerabilities include the following:
On January 31, 2024, Buildkit released vulnerability fixes in version 0.12.5, and runc fixed security issues in version 1.1.12. Docker also released version 4.27.0, which includes secure versions of components in its Moby engine.
Amazon Web Services (AWS), Google Cloud, and Ubuntu have published relevant security bulletins that recommend the necessary steps to address vulnerabilities in software and services. The CISA agency also issued a warning, urging cloud system administrators to take appropriate measures to protect their systems from potential exploitation.
Snyk has discovered 4 vulnerabilities in virtualization systems, collectively known as Leaky Vessels. The flaws allow an attacker to go beyond isolated containers and gain access to data on the host operating system.
Containers are applications packaged in a file along with all the dependencies, executables, and code needed to run them. They run on platforms like Docker and Kubernetes in a virtualized environment isolated from the operating system. A container escape vulnerability occurs when an attacker or malicious application overcomes the isolation of the environment and gains unauthorized access to the host system or other containers.
The detected vulnerabilities affect the infrastructure and tools for building runc and Buildkit containers, which potentially allows an attacker to carry out "exit container" attacks on various software products. Since runc and Buildkit are used in a wide range of popular container management programs, such as Docker and Kubernetes, the risk of attacks increases significantly.
Demonstration of using Leaky Vessels to access data on the host
Leaky Vessels vulnerabilities include the following:
- CVE-2024-21626 (CVSS score: 8.6): An error related to the order of execution of the WORKDIR command in runc, which allows a hacker to go outside the isolated container environment and gain unauthorized access to the host operating system.
- CVE-2024-23651 (CVSS score: 8.7): A race condition during processing of the Buildkit mount cache that leads to unpredictable behavior and potentially allows an attacker to manipulate the process to gain unauthorized access.
- CVE-2024-23652 (CVSS score: 10.0): A vulnerability that allows arbitrary deletion of files or directories during the Buildkit container disassembly phase, which can lead to Denial of Service (DoS), data corruption, or unauthorized data manipulation.
- CVE-2024-23653 (CVSS score: 9.8): The vulnerability occurs due to insufficient privilege checking in the Buildkit GRPC interface, which allows a cybercriminal to perform actions outside of permissions, leading to privilege escalation or unauthorized access to confidential data.
On January 31, 2024, Buildkit released vulnerability fixes in version 0.12.5, and runc fixed security issues in version 1.1.12. Docker also released version 4.27.0, which includes secure versions of components in its Moby engine.
Amazon Web Services (AWS), Google Cloud, and Ubuntu have published relevant security bulletins that recommend the necessary steps to address vulnerabilities in software and services. The CISA agency also issued a warning, urging cloud system administrators to take appropriate measures to protect their systems from potential exploitation.
