Impact of the runC Vulnerability on UCS (CVE-2024-21626)
Details
runC is a lightweight tool for running containers. It implements the Open Container Initiative (OCI) specification. runC is the core and basic component of container software such as Docker, containerd, and Kubernetes. Recently, the runC community released the latest version to fix a high-risk container escape vulnerability (CVE-2024-21626). Due to an internal file descriptor leak, an attacker could control and set the working directory or the command path of a container process to the path under the parent directory of the file descriptor. This allows the container to read and write any files from and into the node, resulting in a container escape.
Vulnerability Name |
CVE-ID |
Severity |
Discovered |
---|---|---|---|
runC vulnerability |
CVE-2024-21626 |
High |
2024-02-01 |
Vulnerability Exploitation Conditions
UCS services in normal usage are not affected by this vulnerability. An attacker can exploit this vulnerability only when either of the following conditions is met:
- The attacker can create or update workloads in a cluster.
- The image source of a container that runs a workload is untrusted, which enables an attacker to modify the source image.
Impact
If either of the preceding exploitation conditions is met, a container process may escape to the node, resulting in node information leakage or malicious command execution.
The following shows the common ways in which exploitation can occur:
- An attacker, with permissions to create or update workloads in a cluster, sets WORKDIR of a container process to /proc/self/fd/<num> during workload creation to access the node file system after the container runs.
- An attacker modifies an untrusted source container image of a workload and sets WORKDIR of the image to /proc/self/fd/<num> to access the node file system after the container built from this image runs.
Identification Method
The risks may be present if workload configurations or container images in on-premises clusters on Huawei Cloud (Chinese Mainland) and multi-cloud clusters on Huawei Cloud (International) have either of the following characteristics:
- WORKDIR of a container process in a workload is set to /proc/self/fd/<num>.
Figure 1 Configurations of a workload with security risks
- The default value of WORKDIR or startup command of a container image in a workload contains /proc/self/fd/<num>.
View the container image metadata.
- For a Docker container: docker inspect <Image ID>
- For a containerd container: crictl inspecti <Image ID>
Figure 2 Configurations of a workload with security risks
Solution
Preventive measures
- Set WORKDIR of a workload to a fixed directory.
- If WORKDIR is not set for a workload, ensure that the container images used by the workload are trusted.
Before taking the preventive measures, evaluate the impact on services and perform tests.
Rectification method
This vulnerability has been fixed in UCS. Use the latest versions of on-premises clusters and multi-cloud clusters.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot