Multiple Container Flaws Allow Attackers to Access the Host OS

Four new vulnerabilities have been identified in containers that could allow a threat actor to escape the container and gain access to the host system.

These vulnerabilities have been named “Leaky Vessels” by researchers that could potentially enable a threat actor to access sensitive data on the host systems and launch further attacks.

The CVEs for these vulnerabilities have been assigned as follows

  • CVE-2024-21626 (runc process.cwd & leaked dfs container breakout – 8.6 (High))
  • CVE-2024-23651 (Buildkit Mount Cache Race – 8.7 (High) )
  • CVE-2024-23653 (Buildkit GRPC SecurityMode Privilege Check – 10.0 (Critical))
  • CVE-2024-23652 (Buildkit Build-time Container Teardown Arbitrary Delete – 9.8 (Critical))
Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

Leaky Vessels

CVE-2024-21626

This vulnerability exists due to the order of operations defined in the WORKDIR directive of a Dockerfile, which is modified as a path traversal to access privileged directories /proc/self/fd/ that is passed through the chdir argument. 

Successful exploitation of this attack provides complete root access to the filesystem, thus enabling the attacker to control the host. The severity for this vulnerability has been given as 8.6 (High).

CVE-2024-23651

This vulnerability is due to a TOCTOU (time-of-check/time-of-use) race condition during the mounting of a cache volume at container build time. The race condition exists due to the validation of the source path that confirms if the source path inside the cache mount is a directory.

This vulnerability can be exploited by manipulating the cache volume source path from the mount and abusing the race condition, which could result in gaining full root host compromise. The severity for this vulnerability has been given as 8.7 (High).

CVE-2024-23653

This vulnerability occurs due to a missing privilege check on the GRPC endpoint. A custom input format of a Dockerfile can be specified using a # syntax= command, which defines the use of another Docker image for parsing the input. This docker image will have access to the GRPC server to enable the intermediate representation creation and submission.

However, the Container.Start endpoint allows the execution of build-time ephemeral containers which does not validate StartRequest.

The scurityMode argument can be abused by threat actors to elevate their privileges and achieve full host root command execution. The severity for this vulnerability has been given as 10.0 (Critical).

CVE-2024-23652

This vulnerability occurs when the Buildkit attempts to clean up temporary directories after usage. When a Dockerfile is run, some specific directories are targeted based on the configuration of the Dockerfile. If the directories don’t exist, they are created and then removed.

This particular functionality can be abused by changing the targeted directory to a symbolic link that will traverse this symbolic link and lead to deletion.

Successful exploitation of this vulnerability results in the deletion of any file on the file system. The severity for this vulnerability has been given as 9.8 (Critical).

These vulnerabilities have been published by Snyk, which provides detailed information about the exploit code, methodology, and mitigation.

Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing millions…

1 day ago

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer through…

2 days ago

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the initial…

2 days ago

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store, which…

2 days ago

Lazarus Hackers Using New VNC Based Malware To Attack Organizations Worldwide

The Lazarus Group has recently employed a sophisticated attack, dubbed "Operation DreamJob," to target employees…

2 days ago

New Python NodeStealer Attacking Facebook Business To Steal Login Credentials

NodeStealer, initially a JavaScript-based malware, has evolved into a more sophisticated Python-based threat that targets…

2 days ago