CVE-2021-33632
📋 TL;DR
This CVE describes a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in openEuler iSulad container runtime. It allows attackers to exploit timing windows between permission checks and resource usage operations, potentially leading to privilege escalation or unauthorized access. Affected users are those running vulnerable versions of iSulad on openEuler Linux systems.
💻 Affected Systems
- openEuler iSulad
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Privilege escalation to root, container escape, or unauthorized access to host system resources
Likely Case
Local privilege escalation within container environment, potentially leading to container compromise
If Mitigated
Limited impact with proper container isolation and security controls in place
🎯 Exploit Status
TOCTOU vulnerabilities require precise timing and local access, making exploitation challenging but possible for skilled attackers
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 2.1.4-2
Vendor Advisory: https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1287
Restart Required: Yes
Instructions:
1. Update iSulad using openEuler package manager. 2. Verify version is >2.1.4-2. 3. Restart iSulad service and affected containers.
🔧 Temporary Workarounds
Restrict container privileges
linuxRun containers with minimal privileges using security contexts and capabilities restrictions
docker run --cap-drop=ALL --security-opt=no-new-privileges image_name
Implement container isolation
linuxUse namespaces and cgroups to isolate containers from host and each other
🧯 If You Can't Patch
- Implement strict access controls and limit who can run containers
- Monitor container runtime for suspicious activity and implement runtime security tools
🔍 How to Verify
Check if Vulnerable:
Check iSulad version: rpm -q iSuladCheck Version:
rpm -q iSulad | grep -E '2.0.18-13|2.1.4-[12]'Verify Fix Applied:
Verify version is >2.1.4-2 and check for any related security patches📡 Detection & Monitoring
Log Indicators:
- Unusual container creation patterns
- Privilege escalation attempts in container logs
- Multiple rapid file access operations
Network Indicators:
- Not applicable - local vulnerability
SIEM Query:
source="iSulad" AND (event="privilege_escalation" OR event="container_escape")🔗 References
- https://gitee.com/src-openeuler/iSulad/pulls/639
- https://gitee.com/src-openeuler/iSulad/pulls/640
- https://gitee.com/src-openeuler/iSulad/pulls/645
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1287
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1289
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1290
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1307
- https://gitee.com/src-openeuler/iSulad/pulls/639
- https://gitee.com/src-openeuler/iSulad/pulls/640
- https://gitee.com/src-openeuler/iSulad/pulls/645
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1287
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1289
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1290
- https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-1307
