Notice on the Impact of runC Vulnerability (CVE-2024-21626)

Description

runC is a lightweight tool for running containers. It implements the Open Container Initiative (OCI) specification. runC is the core and basic component of container software such as Docker, containerd, and Kubernetes. Recently, the runC community released the latest version to fix a high-risk container escape vulnerability (CVE-2024-21626). Due to an internal file descriptor leak, an attacker could control and set the working directory or the command path of a container process to the path under the parent directory of the file descriptor. This allows the container to read and write any files from and into the node, resulting in a container escape.

For details, see RunC Container Escape Vulnerability (CVE-2024-21626).

Vulnerability Exploitation Conditions

CCE clusters in normal usage are not affected by this vulnerability.

An attacker can exploit this vulnerability only when either of the following conditions is met:

1. The attacker can create or update workloads in a cluster.
2. The image source of a container that runs a workload is untrusted, which enables an attacker to modify the source image.

The following shows the common ways in which exploitation can occur:

• An attacker, with permissions to create or update workloads in a cluster, sets WORKDIR of a container process to /proc/self/fd/<num> during workload creation to access the node file system after the container runs.
• An attacker modifies an untrusted source container image of a workload and sets the image's WORKDIR to /proc/self/fd/<num> to access the node file system after the container built from this image runs.

Impact

If either of the preceding exploitation conditions is met, a container process may escape to the node, resulting in node information leakage or malicious command execution.

Identification Method

The risks may be present if workload configurations or container images in clusters 1.21.1-r0 to 1.21.12-r2, 1.23.1-r0 to 1.23.11-r2, 1.25.1-r0 to 1.25.6-r2, 1.27.1-r0 to 1.27.3-r10, and 1.28.1-r0 to 1.28.1-r10 have either of the following characteristics:

• WORKDIR of a container process in a workload is set to /proc/self/fd/<num>.
  Figure 1 Configurations of a workload with security risks
  
• The default WORKDIR or startup command of a container image in a workload contains /proc/self/fd/<num>.
  Run the following command to view the container image metadata:

  • For a Docker container: docker inspect <Image ID>
  • For a containerd container: crictl inspecti <Image ID>

  Figure 2 Configurations of an image with security risks
  

Solution

Workarounds:

• Set the WORKDIR directory of a workload to a fixed one.
• If the WORKDIR directory is not configured for a workload, ensure that the container images used by the workload are trusted.

Before performing the preceding workarounds, evaluate the impact on services and perform thorough tests.

Rectification method:

We have fixed this vulnerability. Pay attention to update in Patch Versions and upgrade your clusters to the fixed version. For clusters that have reached EOS, upgrade them to versions under maintenance.

In clusters 1.21.12-r4, 1.23.11-r4, 1.25.6-r4, 1.27.3-r4, 1.28.1-r4, and later, this vulnerability was fixed.

Newly started containers running in clusters which were upgraded to the versions where the vulnerability was fixed are not affected. Existing containers running in clusters of the fixed versions need to be further checked. For details, see Identification Method.

• In a running container, if WORKDIR in the container process is set to /proc/self/fd/<num>, this vulnerability still exists. To minimize risks, delete the configuration and redeploy the container.
• In a running container, if WORKDIR in the used image is set to /proc/self/fd/<num>, this vulnerability still exists. To minimize risks, use a trusted image and redeploy the container.
• In a running container, if WORKDIR in the container process is not set to /proc/self/fd/<num>, there is no risk.