Don't let your containers escape! Update runc & Docker Now!

Don't let your containers escape! Update runc & Docker Now!

TL;DR: Update runc and associated software (such as Docker) to the latest version to address several container breakout vulnerabilities.

The security research team at Snyk recently disclosed vulnerabilities in runc <= 1.11.11, which can result in container escapes. Container escaping allows for access to the host operating system, reducing the security boundary of the container runtime. These vulnerabilities could be exploited through the execution of a malicious image or by building an image with a malicious dockerfile. We expect to see exploitation attempts across CI/CD systems as well as Docker Desktop by targeting commonly used, open-source container images. 

These vulnerabilities can only be exploited if a user actively engages with malicious content by incorporating it into the build process or running a container from a suspect image (particularly relevant for the CVE-2024-21626 container escape vulnerability). Potential impacts include unauthorized access to the host filesystem, compromising the integrity of the build cache, and, in the case of CVE-2024-21626, a scenario that could lead to full container escape. 

To mitigate the issues, be sure to update all instances of runc and software which relies on it. For many of our customers, it’ll be important to ensure that Docker is updated to version 25.0.2 or later.

Detection of exploitation attempts may be challenging due to the lack of instrumentation often available in container runtime environments. Snyk released a runtime detection tool, leaky-vessels-dynamic-detector, to help detect potential exploitation of CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653. Although we haven’t validated these detectors yet, they look promising.

When threat modeling containers and container orchestration systems, it’s essential to discuss the risk of container escapes. Container escape vulnerabilities, while uncommon, can pose a significant risk to the security architecture of the infrastructure. 

If you need help assessing the risk of these vulnerabilities or your container ecosystem at large, please feel free to reach out to us at Cloud Security Partners.

John Poulin is CTO of Cloud Security Partners. John is an experienced Application Security Practitioner with over 10 years of experience in software development and security. Over his tenure, John has worked with many Fortune 500 companies and startups alike to perform secure code reviews, architecture, and design discussions, as well as threat modeling.