CVE-2021-30465

Q: What is the severity of CVE-2021-30465?

CVE-2021-30465 has a CVSS score of 8.5 (HIGH). CVE-2021-30465 is a container escape vulnerability in runc that allows attackers to break out of container filesystem isolation through directory traversal. It affects container runtimes using runc versions before 1.0.0-rc95. The vulnerability requires specific mount configurations and exploits a race condition via symlink-exchange attacks.

8.5 HIGH

📋 TL;DR

CVE-2021-30465 is a container escape vulnerability in runc that allows attackers to break out of container filesystem isolation through directory traversal. It affects container runtimes using runc versions before 1.0.0-rc95. The vulnerability requires specific mount configurations and exploits a race condition via symlink-exchange attacks.

💻 Affected Systems

Products:

runc
Docker
containerd
Kubernetes (when using affected runc versions)
Podman
CRI-O

Versions: All runc versions before 1.0.0-rc95

Operating Systems: Linux

Default Config Vulnerable: ✅ No

Notes: Requires ability to create containers with specific mount configurations. Not exploitable with default container configurations.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full container escape leading to host system compromise, allowing attackers to access host filesystem, execute arbitrary code on the host, and potentially pivot to other systems.

🟠

Likely Case

Container escape enabling access to sensitive host files, configuration data, and potential privilege escalation on the host system.

🟢

If Mitigated

Limited impact due to proper container isolation, security policies, and restricted mount configurations preventing exploitation.

🌐 Internet-Facing: MEDIUM - Requires container creation capability and specific mount configurations, but could be exploited through container orchestration APIs.

🏢 Internal Only: HIGH - Internal attackers with container creation privileges can exploit this to escalate privileges and compromise host systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: HIGH

Exploitation requires container creation privileges, specific mount configurations, and relies on winning a race condition. Proof-of-concept code has been published.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: runc 1.0.0-rc95 and later

Vendor Advisory: https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r

Restart Required: Yes

Instructions:

1. Update runc to version 1.0.0-rc95 or later. 2. Update container runtime (Docker, containerd, etc.) to versions that include the patched runc. 3. Restart container runtime services. 4. Recreate containers to ensure they use the updated runc version.

🔧 Temporary Workarounds

Restrict container mount configurations

linux

Prevent containers from using potentially dangerous mount configurations that could enable exploitation.

# Use container runtime security policies to restrict mounts
# Example for Docker: docker run --security-opt no-new-privileges --read-only
# Use Kubernetes Pod Security Policies or Security Contexts to restrict volume mounts

Implement container runtime sandboxing

linux

Use additional isolation layers like gVisor or Kata Containers to add defense-in-depth.

# For gVisor: docker run --runtime=runsc
# For Kata: docker run --runtime=kata-runtime

🧯 If You Can't Patch

Implement strict container runtime policies to prevent creation of containers with custom mount configurations
Use container security scanning tools to detect vulnerable configurations and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check runc version: runc --version | grep version. If version is earlier than 1.0.0-rc95, system is vulnerable.

Check Version:

runc --version

Verify Fix Applied:

Verify runc version is 1.0.0-rc95 or later: runc --version. Check container runtime version includes patched runc.

📡 Detection & Monitoring

Log Indicators:

Unusual container creation with custom mount configurations
Multiple container creation attempts in short timeframes
Processes running outside container boundaries

Network Indicators:

Unexpected network connections from container hosts
Container-to-host communication patterns

SIEM Query:

container.runtime=runc AND container.mount.type=custom AND event.count>5 WITHIN 5m

📊 Metadata

CVE ID: CVE-2021-30465

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-362

Published: May 27, 2021

Last Updated: November 21, 2024

🔗 References

http://www.openwall.com/lists/oss-security/2021/05/19/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/19/2 Mailing List,Third Party Advisory
https://bugzilla.opensuse.org/show_bug.cgi?id=1185405 Issue Tracking
https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f Patch,Third Party Advisory
https://github.com/opencontainers/runc/releases Release Notes,Third Party Advisory
https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV/
https://security.gentoo.org/glsa/202107-26 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210708-0003/ Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/19/2 Mailing List,Third Party Advisory
http://www.openwall.com/lists/oss-security/2021/05/19/2 Mailing List,Third Party Advisory
https://bugzilla.opensuse.org/show_bug.cgi?id=1185405 Issue Tracking
https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595f Patch,Third Party Advisory
https://github.com/opencontainers/runc/releases Release Notes,Third Party Advisory
https://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7r Patch,Third Party Advisory
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV/
https://security.gentoo.org/glsa/202107-26 Third Party Advisory
https://security.netapp.com/advisory/ntap-20210708-0003/ Third Party Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Fedora by Fedoraproject

Fedora by Fedoraproject

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

Runc by Linuxfoundation

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Restrict container mount configurations

Implement container runtime sandboxing

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities