Introduction

Red Hat has identified a critical vulnerability in runc, a key component of container infrastructure, which facilitates container escapes, potentially allowing attackers unauthorized access to the host operating system from within a container. Exploitation methods include deceiving users into using or constructing a malicious image, or executing a malevolent process within the container with runc exec. This vulnerability, designated CVE-2024-21626, has been classified with an important severity impact.

Affected Red Hat products include:

  • Red Hat OpenShift Container Platform versions 4 and 3.11
  • Red Hat Enterprise Linux versions 7, 8, and 9
  • Additional products running on Red Hat Enterprise Linux and RHEL CoreOS

Notably, this issue also extends to product containers based on RHEL or UBI container images and product drawing packages from the RHEL channel.

Related vulnerabilities, CVE-2024–23651, CVE-2024–23652, and CVE-2024–23653, found in moby buildkit, are under investigation.

Technical Details

The vulnerability stems from how runc handles the WORKDIR and RUN directives in Dockerfiles, leading to File Descriptor Leak and Path Traversal attacks. This flaw enables containers to bind to directories on the host system, thereby gaining unauthorized access to host resources.

The issue arises from runc’s processing of the WORKDIR directive, allowing attackers to exploit the directive to access privileged file descriptors and manipulate host system files. This vulnerability significantly increases the risk of container breakout and host system compromise.

Mitigation

To mitigate this threat, Red Hat advises:

  • Utilizing SELinux in targeted enforcing mode, as shipped with RHEL and OpenShift, to prevent container processes from accessing host content.
  • Inspecting Dockerfiles for suspicious RUN and WORKDIR directives.
  • Limiting access to trusted container images to ward off unauthorized access and attacks.

Affected Products

Red Hat urges customers with the affected product versions to update their systems as soon as updates are made available. Immediate application of these updates and enabling appropriate mitigations is strongly recommended.

  • Red Hat Enterprise Linux 7: Update for runc (TBD)
  • Red Hat Enterprise Linux 8: Updates for container-tools:4.0/runc and container-tools:rhel8/runc (TBD)
  • Red Hat Enterprise Linux 9: runc update (RHSA-2024:0670)
  • Red Hat OpenShift Container Platform 4 & 3.11: Update for runc (TBD)

Updates and advisories will be posted as they become available.

Conclusion

In conclusion, the discovery of CVE-2024–21626 within the runc component highlights a significant vulnerability in the container ecosystem, underlining the critical importance of security within the rapidly evolving field of container technology. This vulnerability not only poses a direct threat to the integrity and security of containerized applications but also emphasizes the potential for broader implications across the host systems on which these containers operate.

Red Hat’s prompt identification and ongoing efforts to address this vulnerability, along with related issues in moby buildkit, reflect a commitment to safeguarding the infrastructure that underpins modern cloud-native applications. The recommendations and mitigation strategies provided by Red Hat serve as essential guidance for administrators and users of affected products to protect their environments against unauthorized access and potential compromise.

The situation underscores the necessity for continuous vigilance, regular updates, and the adoption of security best practices by organizations leveraging container technologies. By proactively managing security risks and applying updates as they become available, businesses can significantly reduce their exposure to vulnerabilities and ensure the resilience of their operational environments against emerging threats.

As the landscape of container technology continues to evolve, so too will the challenges associated with securing these environments. The case of CVE-2024–21626 serves as a reminder of the ongoing collaboration required between technology providers, security researchers, and the broader user community to navigate these challenges effectively and maintain the security and reliability of containerized applications.