Vulnerabilities in RunC Allow Attackers to Gain Host Access by Escaping Containers

Sophia Rodriguez

Security researchers have revealed that the runC command line tool is susceptible to multiple security vulnerabilities, paving the way for threat actors to bypass container limitations and carry out follow-up attacks. The flaws, which are collectively known as Leaky Vessels and are tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, enable an attacker to gain unauthorized access to the host operating system and potentially acquire sensitive data and superuser privileges, according to cybersecurity vendor Snyk.

RunC, originally part of Docker and later developed as a separate open-source library, is a tool used for launching containers on Linux. The recently disclosed vulnerabilities include CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, with each flaw rated based on the Common Vulnerability Scoring System (CVSS). The most severe of these is CVE-2024-21626, allowing for the container escape due to the “WORKDIR” command.

The flaws were effectively addressed in runC version 1.1.12, with Buildkit vulnerabilities fixed in version 0.12.5 released following a responsible disclosure in November 2023. Snyk has recommended users to seek updates for the container runtime environments provided by various Docker, Kubernetes, cloud container services, and open-source communities due to the widespread impact of these vulnerabilities.

Docker, AWS, Google Cloud, and Ubuntu have also issued advisories urging customers to take the necessary steps to mitigate the potential risks posed by these vulnerabilities.

Frequent incidents of cloud and container security breaches have been attributed to organizations having overly permissive permissions and administrative privileges in their initial setups. This has paved the way for misconfigurations and opportunities for privilege escalation and has been scrutinized by security firms like Sysdig in its 2024 Cloud-Native Security and Usage Report, which highlights the link between identity compromise and subsequent malicious activities.

(The story was updated after publication to include additional advisories published by Docker, AWS, Google Cloud, and Ubuntu.)

Share This Article
Avatar photo
By Sophia Rodriguez “TF Eco-Tech”
Sophia Rodriguez is the eco-tech enthusiast of the group. With her academic background in Environmental Science, coupled with a career pivot into sustainable technology, Sophia has dedicated her life to advocating for and reviewing green tech solutions. She is passionate about how technology can be leveraged to create a more sustainable and environmentally friendly world and often speaks at conferences and panels on this topic.
Leave a comment