Notice on runC Vulnerability that Allows a Container Filesystem Breakout via Directory Traversal (CVE-2021-30465)
Description
runC is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly-innocuous pod configuration that actually results in the host filesystem being bind-mounted into the container (allowing for a container escape). CVE-2021-30465 has been assigned for this vulnerability. The details and POC of this vulnerability have been disclosed and the risk is high.
Type |
CVE-ID |
Severity |
Discovered |
|---|---|---|---|
Container escape |
High |
2021-05-31 |
Impact
An attacker can create a malicious pod, mount the host directory to the container, and exploit a runC symlink and race condition vulnerability, allowing container escape and host filesystem access.
CCE clusters earlier than v1.17 (excluding 1.17) involve this vulnerability. For existing CCE clusters of v1.17, v1.19, and v1.21, check the runC version on the node.
Solution
- Restrict untrusted users from creating workloads, especially configuring volume mounting parameters.
- Restrict the permissions of the container.
- Use a non-root user.
- Use capabilities to restrict the privileges of containers, such as CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, and CAP_SYS_ADMIN.
- Use seccomp to restrict the attacker's system call permissions on the host kernel. For details, see Restrict a Container's Syscalls with Seccomp.
This vulnerability has been fixed for new nodes in CCE.
You can create a node and set the old node to be unschedulable. After all pods on the old node are scheduled to the new node, delete or reset the old node.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.
