CVE-2024-21626
📋 TL;DR
CVE-2024-21626 is a file descriptor leak vulnerability in runc that allows container escape to the host filesystem. Attackers can gain access to host files, overwrite host binaries, and achieve full container escape. This affects all systems using runc 1.1.11 or earlier for container management.
💻 Affected Systems
- runc
- Docker
- containerd
- Kubernetes (via container runtimes)
- Podman
- CRI-O
📦 What is this software?
Fedora by Fedoraproject
Runc by Linuxfoundation
⚠️ Risk & Real-World Impact
Worst Case
Complete container escape leading to full host compromise, privilege escalation to root, and potential lateral movement across the cluster.
Likely Case
Container escape allowing access to host filesystem, sensitive data exfiltration, and potential persistence mechanisms.
If Mitigated
Limited impact if proper container isolation, least privilege, and network segmentation are implemented.
🎯 Exploit Status
Exploitation requires container execution privileges. Multiple attack variants exist including runc exec and runc run scenarios.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: runc 1.1.12
Vendor Advisory: https://github.com/opencontainers/runc/releases/tag/v1.1.12
Restart Required: Yes
Instructions:
1. Update runc to version 1.1.12 or later. 2. Update container runtimes (Docker, containerd, etc.) to versions that include patched runc. 3. Restart container runtime services. 4. Recreate containers to ensure they use updated runc.
🔧 Temporary Workarounds
Restrict container capabilities
linuxRemove CAP_SYS_ADMIN and other dangerous capabilities from containers
docker run --cap-drop=ALL --cap-add=...
kubectl securityContext: capabilities: drop: ["ALL"]
Use read-only root filesystem
linuxPrevent container processes from writing to host filesystem
docker run --read-only
kubectl securityContext: readOnlyRootFilesystem: true
🧯 If You Can't Patch
- Implement strict container isolation policies and network segmentation
- Monitor for suspicious container behavior and file access patterns
🔍 How to Verify
Check if Vulnerable:
Check runc version: runc --version | grep version. If version is 1.1.11 or earlier, system is vulnerable.Check Version:
runc --versionVerify Fix Applied:
Verify runc version is 1.1.12 or later: runc --version📡 Detection & Monitoring
Log Indicators:
- Unusual container process spawning with host filesystem access
- Container processes accessing /proc/self/cwd or /proc/self/fd entries pointing to host paths
- Suspicious file operations from container to host paths
Network Indicators:
- Containers making unexpected outbound connections after file access
- Lateral movement attempts from container hosts
SIEM Query:
container.runtime=runc AND (process.name=runc AND process.args:exec) OR (file.path:/proc/self/cwd OR file.path:/proc/self/fd) AND container.id=*🔗 References
- http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html
- http://www.openwall.com/lists/oss-security/2024/02/01/1
- http://www.openwall.com/lists/oss-security/2024/02/02/3
- https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
- https://github.com/opencontainers/runc/releases/tag/v1.1.12
- https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
- https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/
- http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html
- http://www.openwall.com/lists/oss-security/2024/02/01/1
- http://www.openwall.com/lists/oss-security/2024/02/02/3
- https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
- https://github.com/opencontainers/runc/releases/tag/v1.1.12
- https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
- https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/
- https://www.vicarius.io/vsociety/posts/leaky-vessels-part-1-cve-2024-21626
