A new set of vulnerabilities, collectively known as the Leaky Vessels vulnerabilities has emerged, posing significant risks to containerized environments. This blog delves into the intricacies of these vulnerabilities, their impact, and the steps required to mitigate the risks they pose.
Here’s everything you need to know:
What are the Leaky Vessels vulnerabilities?
The Leaky Vessels vulnerabilities refer to a series of security flaws found in the container runtime environment, specifically within runc, a popular open-source container runtime used by Docker, Kubernetes, and other containerization platforms. These vulnerabilities allow for container escapes, enabling an attacker who has gained access to a container to execute arbitrary code on the host machine, thereby compromising the entire system.
CVE-2024-21626 (runC Vulnerability)
This vulnerability affects runC, a lightweight container runtime used in Docker and other container environments. Attackers gaining unauthorized access to an underlying host operating system could potentially compromise the entire host system, including sensitive credentials.
CVE-2024-23651 (BuildKit Vulnerability):
This vulnerability involves a race condition related to cache layers during runtime. While it doesn’t allow run-time escapes, it is essential to address it during the build process to ensure container security.
CVE-2024-23653 (BuildKit Vulnerability)
This vulnerability relates to a security model in BuildKit’s remote procedure call protocol. Although it’s limited to build-time, it’s crucial to address it to enhance overall container security.
CVE-2024-23652
Unlike classic container escapes, this vulnerability allows attackers to delete host files. While it doesn’t directly compromise containers, it can have serious consequences for the host system’s integrity.
Do they affect me?
To assess whether these vulnerabilities affect your environment, it’s important to consider the following factors:
- By design, these vulnerabilities require an attacker to be on the container itself, making them not externally facing. Therefore, the attack surface is limited to those with access to the container.
- Organizations utilizing containerization technologies like Docker and Kubernetes should be vigilant. It’s crucial to assess your deployment and determine if you are using the affected container components.
Have the Leaky Vessels vulnerabilities been actively exploited in the wild?
While the Leaky Vessels vulnerabilities are serious, there is currently no widespread evidence of active exploitation in the wild. However, it’s essential to act swiftly to address them proactively to mitigate potential risks.
FIixing the Leaky Vessels vulnerabilities
Isolation:
As these vulnerabilities require an attacker to be on the container itself, ensure that containers are isolated from unauthorized access.
Update to runC 1.1.12
Most vendors have released updates to runC to address CVE-2024-21626. Upgrading to runC version 1.1.12 is a critical step in mitigating this vulnerability.
Run Deployment Pipeline:
In order to update Docker daemons and Kubernetes deployments, it is essential to run a deployment pipeline. This ensures that your containerized applications are using the latest secure versions.
In most AWS services, running the deployment pipeline is the only action needed to address these vulnerabilities. Refer to AWS Security Bulletin AWS-2024-001 1 for specific guidance.
In Google Cloud Platform (GCP), an update for these vulnerabilities is yet to be released. However, it should be available very soon. Keep an eye on GCP Security Bulletins 2 for updates and instructions on addressing the vulnerabilities in GCP environments.
Next steps
Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: