Docker and Other Container Engines Vulnerabilities – A Quick Look

Containerization has revolutionized the way applications are developed, deployed, and managed. However, like any technology, it is not immune to security vulnerabilities. Recently, several vulnerabilities have been discovered in Docker and other container engines that could potentially enable unauthorized access to the host operating system.

Docker

Docker, one of the most popular container platforms, has been found to have a set of vulnerabilities collectively named “Leaky Vessels”. These vulnerabilities potentially break the isolation layer between the container and the host operating system.

One of these vulnerabilities is in runc, a command-line tool for spawning and running containers on Linux that underpins multiple container engines, not just Docker. This vulnerability, tracked as CVE-2024-21626, stems from a file descriptor being inadvertently leaked internally within runc, including a handle to the host’s /sys/fs/cgroup. This can be exploited in multiple ways, one found by the researchers and three others found by runc maintainers.

Other Container Engines

The vulnerabilities are not limited to Docker. Other container engines such as Podman, containerd, and CRI-O, which use runc as their underlying runtime, are also affected. These vulnerabilities could allow an attacker to gain unauthorized access to the underlying host operating system from within the container.

The Impact of the vulnerability on Docker and other Container Engines

The exploitation of these vulnerabilities could potentially permit access to sensitive data (credentials, customer info, etc.), and launch further attacks, especially when the access gained includes superuser privileges. This could lead to serious security breaches, compromising the integrity of the host system and the data it holds.

The exploit specifically targets the runc run command, which is used to create and start a new container from an image. Another attack variation involves runc exec, which is used to start a process inside an existing container. A third attack involves using either the runc run or the runc exec technique to overwrite binaries from the host operating system.

While attack 3a is the most severe from a CVSS perspective, attacks 2 and 3b are arguably more dangerous in practice as they allow for a breakout from inside a container as opposed to requiring a user to execute a malicious image.

Moreover, the exploit can be executed remotely in higher-level runtimes like Docker or Kubernetes by anyone with the rights to start a container image. This increases the potential attack surface and poses a significant threat to systems running these services.

The runc maintainers warn that they believe other runtimes are potentially vulnerable to similar attacks or don’t have sufficient protection against them. This suggests that the impact of the vulnerability could be widespread, affecting a large number of systems and applications.

Mitigation Measures

In response to these vulnerabilities, Docker has released patched versions of runc, BuildKit, and Moby. Users are strongly urged to update to the latest versions as soon as possible. If updating is not immediately possible, users are advised to follow best practices to mitigate risk, such as only using trusted Docker images and not building Docker images from untrusted sources or untrusted Dockerfiles.

Conclusion

These vulnerabilities underscore the importance of maintaining up-to-date systems and following best security practices. As container technology continues to evolve, so too will the security challenges it faces. Staying informed about the latest vulnerabilities and understanding how to mitigate them is crucial for maintaining secure and reliable systems.

---

You think you have a story worth everyone’s time? SUBMIT A STORY and we will publish it.