A set of four vulnerabilities in container engine components, known as 'Leaky Vessels,' has been revealed by researchers. Three of these vulnerabilities can enable attackers to break free from containers and perform harmful actions on the host system.
The most critical of these vulnerabilities is CVE-2024-21626, which affects runC, a lightweight container runtime utilized by Docker and other container environments. With a severity score of 8.6 out of 10 on the CVSS scale, it is considered the most urgent. Rory McNamara, a security researcher at Snyk, which discovered and reported these flaws, states that this vulnerability allows for container escape during both the build and run-time of the container.
In extreme cases, an attacker who gains unauthorized access to the host operating system can potentially access anything else on the same host. This could include key credentials that enable the attacker to initiate further attacks. McNamara warns, 'Since this vulnerability affects anybody using containers to build applications — essentially every cloud-native developer worldwide — unchecked access could potentially compromise entire Docker or Kubernetes host systems.'
The remaining three vulnerabilities impact BuildKit, Docker's default container image building toolkit. These include CVE-2024-23651, which involves a race condition related to cache layer mounting during runtime; CVE-2024-23653, which affects a security model in BuildKit's remote procedure call protocol; and CVE-2024-23652, a file deletion flaw in BuildKit.
In a blog post dated January 31, the security vendor urged organizations to 'check for updates from any vendors providing their container runtime environments, including Docker, Kubernetes vendors, cloud container services, and open source communities.' Snyk emphasized the widespread use of the affected container image components and build tools as a reason for organizations to upgrade to fixed versions as soon as they become available.
Two of the Docker BuildKit vulnerabilities (CVE-2024-23651 and CVE-2024-23653) are build-time only escapes. 'The final Docker vulnerability (CVE-2024-23652) is an arbitrary host file delete, meaning that it's not a classic container escape,' McNamara explains.
Container vulnerabilities pose an increasing challenge for enterprise organizations. According to a study conducted by Sysdig last year, 87% of container images in production contain at least one high or critical severity vulnerability. This high percentage of vulnerabilities is attributed to organizations' rush to deploy cloud applications without giving due consideration to security issues.
A 2023 research by Rezilion revealed hundreds of Docker container images containing vulnerabilities that standard vulnerability detection and software composition analysis tools failed to detect. This trend has led to a shift in perceptions about container security. A survey by D-Zone found that only 51% of respondents viewed containerization as making their applications more secure, compared to 69% in 2021. Around 44% stated that containerization had made their application environment less secure, a significant increase from just 7% in 2021.
McNamara explains that the four vulnerabilities discovered by Snyk are relatively easy to exploit and typically involve less than a 30-line Dockerfile. However, he adds, 'There is still a requirement for sufficient access to the environment that it is functionally local.' To exploit these vulnerabilities, an attacker would need to run an arbitrary container on the target, build an arbitrary container on the target, or compromise an upstream container or cause a victim system to use a controlled upstream container.