Help Center/ Cloud Container Engine/ Product Bulletin/ Vulnerability Notices/ Notice of runC Vulnerability That Allows a Container Filesystem Breakout via Directory Traversal (CVE-2021-30465)
Updated on 2024-11-11 GMT+08:00

Notice of runC Vulnerability That Allows a Container Filesystem Breakout via Directory Traversal (CVE-2021-30465)

Description

runC is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly-innocuous pod configuration that actually results in the host filesystem being bind-mounted into the container (allowing for a container escape). CVE-2021-30465 has been assigned for this vulnerability. The details and POC of this vulnerability have been disclosed and the risk is high.

Table 1 Vulnerability details

Type

CVE-ID

Severity

Discovered

Container escape

CVE-2021-30465

High

2021-05-31

Impact

This vulnerability is present when the runC version is 1.0.0-rc94 or earlier. An attacker can create a malicious pod, mount the host directory to the container, and exploit a runC symlink and race condition vulnerability, allowing container escape and host filesystem access.

You need to check whether the runC version of a node is 1.0.0-rc94 or earlier to determine whether the node is affected by the vulnerability.

Solution

  • Restrict untrusted users from creating workloads, especially configuring volume mounting parameters.
  • Restrict the permissions of the container.
    • Use a non-root user.
    • Use capabilities to restrict the privileges of containers, such as CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH, and CAP_SYS_ADMIN.
    • Use seccomp to restrict the attacker's system call permissions on the host kernel. For details, see Restrict a Container's Syscalls with Seccomp.

This vulnerability has been fixed for new nodes in CCE.

You can create a node and set the old node to be unschedulable. After all pods on the old node are scheduled to the new node, delete or reset the old node.