Saturday, May 18, 2024

Multiple Container Flaws Allow Attackers to Access the Host OS

Four new vulnerabilities have been identified in containers that could allow a threat actor to escape the container and gain access to the host system.

These vulnerabilities have been named “Leaky Vessels” by researchers that could potentially enable a threat actor to access sensitive data on the host systems and launch further attacks.

The CVEs for these vulnerabilities have been assigned as follows

  • CVE-2024-21626 (runc process.cwd & leaked dfs container breakout – 8.6 (High))
  • CVE-2024-23651 (Buildkit Mount Cache Race – 8.7 (High) )
  • CVE-2024-23653 (Buildkit GRPC SecurityMode Privilege Check – 10.0 (Critical))
  • CVE-2024-23652 (Buildkit Build-time Container Teardown Arbitrary Delete – 9.8 (Critical))
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Leaky Vessels


This vulnerability exists due to the order of operations defined in the WORKDIR directive of a Dockerfile, which is modified as a path traversal to access privileged directories /proc/self/fd/ that is passed through the chdir argument. 

Successful exploitation of this attack provides complete root access to the filesystem, thus enabling the attacker to control the host. The severity for this vulnerability has been given as 8.6 (High).


This vulnerability is due to a TOCTOU (time-of-check/time-of-use) race condition during the mounting of a cache volume at container build time. The race condition exists due to the validation of the source path that confirms if the source path inside the cache mount is a directory.

This vulnerability can be exploited by manipulating the cache volume source path from the mount and abusing the race condition, which could result in gaining full root host compromise. The severity for this vulnerability has been given as 8.7 (High).


This vulnerability occurs due to a missing privilege check on the GRPC endpoint. A custom input format of a Dockerfile can be specified using a # syntax= command, which defines the use of another Docker image for parsing the input. This docker image will have access to the GRPC server to enable the intermediate representation creation and submission.

However, the Container.Start endpoint allows the execution of build-time ephemeral containers which does not validate StartRequest.

The scurityMode argument can be abused by threat actors to elevate their privileges and achieve full host root command execution. The severity for this vulnerability has been given as 10.0 (Critical).


This vulnerability occurs when the Buildkit attempts to clean up temporary directories after usage. When a Dockerfile is run, some specific directories are targeted based on the configuration of the Dockerfile. If the directories don’t exist, they are created and then removed.

This particular functionality can be abused by changing the targeted directory to a symbolic link that will traverse this symbolic link and lead to deletion.

Successful exploitation of this vulnerability results in the deletion of any file on the file system. The severity for this vulnerability has been given as 9.8 (Critical).

These vulnerabilities have been published by Snyk, which provides detailed information about the exploit code, methodology, and mitigation.

Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.


Latest articles

Norway Recommends Replacing SSLVPN/WebVPN to Stop Cyber Attacks

A very important message from the Norwegian National Cyber Security Centre (NCSC) says that...

New Linux Backdoor Attacking Linux Users Via Installation Packages

Linux is widely used in numerous servers, cloud infrastructure, and Internet of Things devices,...

ViperSoftX Malware Uses Deep Learning Model To Execute Commands

ViperSoftX malware, known for stealing cryptocurrency information, now leverages Tesseract, an open-source OCR engine,...

Santander Data Breach: Hackers Accessed Company Database

Santander has confirmed that there was a major data breach that affected its workers...

U.S. Govt Announces Rewards up to $5 Million for North Korean IT Workers

The U.S. government has offered a prize of up to $5 million for information...

Russian APT Hackers Attacking Critical Infrastructure

Russia leverages a mix of state-backed Advanced Persistent Threat (APT) groups and financially motivated...

Millions Of IoT Devices Vulnerable To Attacks Leads To Full Takeover

Researchers discovered four significant vulnerabilities in the ThroughTek Kalay Platform, which powers 100 million...
Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Free Webinar

Live API Attack Simulation

94% of organizations experience security problems in production APIs, and one in five suffers a data breach. As a result, cyber-attacks on APIs increased from 35% in 2022 to 46% in 2023, and this trend continues to rise.
Key takeaways include:

  • An exploit of OWASP API Top 10 vulnerability
  • A brute force ATO (Account Takeover) attack on API
  • A DDoS attack on an API
  • Positive security model automation to prevent API attacks

Related Articles