Navigating the Waters of Container Security : Understanding CVE-2024-21626 the “Leaky Vessels” Vulnerabilities in Docker, runc, and BuildKit

container security vulnerabilities, CVE-2024-21626 exploit, BuildKit security flaw, application security best practices, vulnerability management in containers, Docker container protection, runC vulnerability mitigation, secure container deployment, patching container vulnerabilities, securing Kubernetes environments


In the world of app sec, ASPM and container security, a new series of vulnerabilities affecting core container functionalities have been discovered: CVE-2024-21626, dubbed the “Leaky Vessels,” has emerged, casting a spotlight on the critical components of containerization technology—Docker, runs, and BuildKit. Together with the main vulnerability, other variations have been recorded all above 8.7 to the last one, a perfect 10: CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652. These vulnerabilities underscore the ongoing challenge of vulnerability management within container ecosystems, serving as a crucial reminder of the importance of maintaining robust security practices in application development and deployment.

The CVE-2024-21626 “Leaky Vessels” Vulnerabilities Explained

At the heart of the “Leaky Vessels” vulnerabilities lies a significant flaw in runc, the underlying container runtime used by Docker and other container platforms, identified as CVE-2024-21626. This vulnerability allows attackers to gain unauthorized access to the host operating system from within a container, posing a severe risk to system integrity and data security. Alongside this, additional vulnerabilities in BuildKit—a toolkit for converting code into container images used in conjunction with runc—further exacerbate the threat landscape. These include CVE-2024-23651, CVE-2024-23653, and CVE-2024-23652, each presenting unique challenges in the context of container security.

Consequences and Impact CVE-2024-21626

The ramifications of these vulnerabilities are far-reaching. Attackers exploiting these flaws could potentially access sensitive data, manipulate system operations, or launch further attacks from the compromised system. The “Leaky Vessels” vulnerabilities serve as a stark reminder of the potential for significant downtime and data loss if not promptly and effectively addressed.

Chaining Vulnerabilities: A Closer Look

The interplay between the vulnerabilities in runc and BuildKit presents a complex scenario where an attacker could chain these vulnerabilities to escalate privileges and execute arbitrary code on the host system. This chain of vulnerabilities highlights the intricate dependencies within container runtime environments and the need for comprehensive security measures that span across different components of the container ecosystem.

Recently disclosed vulnerabilities, CVE-2024-21626 and others related to runC and BuildKit, highlight the ongoing challenges in securing containerized environments. Here’s a closer look at how these vulnerabilities function, offering insights into their mechanisms and implications.

Understanding CVE-2024-21626

CVE-2024-21626 exposes a critical flaw within the runC container runtime. This vulnerability arises from an internal file descriptor leak, specifically when the process.cwd is manipulated to access the host’s filesystem namespace. By running a malicious image or building one using a malicious base image, attackers can exploit this leak. The manipulation of process.cwd()—which returns the current working directory—to an unauthorized directory on the host, essentially grants the malicious container binary unfettered access to the host filesystem. This access enables a wide range of nefarious activities, from data theft to further system compromise.

The Mechanics of CVE-2024-23651 in BuildKit

CVE-2024-23651 targets BuildKit’s handling of cache volumes during the build process. This vulnerability leverages a specific condition related to the mounting of cache volumes, allowing attackers to mount a persistent directory at a controlled location. The crux of the issue lies in the manipulation of the source path, permitting an arbitrary directory from the host to be mounted into the container’s filesystem. This effectively grants default root user privileges over the host, contingent on the attacker deciphering the working directory path. Mitigation efforts in BuildKit version 0.12.5 have focused on enhancing the validation of the source directory to thwart such attacks.

Exploring CVE-2024-23652 and Its Implications

CVE-2024-23652, another vulnerability within BuildKit, emerges during the cleanup phase of temporarily added directories. The vulnerability is activated if the target directory for mounting files is altered with a symbolic link to another directory on the host. This allows attackers to specify removal operations for any file on the host, exploiting the cleanup process. The resolution in BuildKit version 0.12.5 ensures that the directory cleanup is strictly confined to the container’s filesystem, eliminating the risk of external manipulation.

CVE-2024-23653: GRPC Security Flaw in BuildKit

Lastly, CVE-2024-23653 highlights a vulnerability in BuildKit’s interaction with GRPC, a prevalent remote access framework. This issue arises during the build process when a custom parser format, substituted for the default, manipulates GRPC server interactions to launch containers with elevated privileges. The mitigation strategy involves the BuildKit daemon rejecting the creation of privileged containers if the returned arguments from the GRPC server deviate from expected parameters, a security enhancement incorporated from BuildKit v0.12.5 onwards.

Learning from the Past: Previous runc Vulnerabilities

This is not the first time runc has been in the spotlight for security vulnerabilities. Previous issues, such as the Runcscape vulnerability (CVE-2019-5736), have shed light on the potential for container escape and underscore the importance of ongoing vigilance and prompt updates to mitigate risks associated with container runtimes.

Addressing the Vulnerabilities

To safeguard against these vulnerabilities, it is imperative for organizations to prioritize security updates and patches from vendors. Docker and other tools utilizing runc and BuildKit have already released updates to address these issues. Additionally, inspecting Dockerfiles for unsafe commands and employing detection tools to identify potential exploits can further enhance security postures.

For more detailed insights and guidance on mitigating these vulnerabilities, refer to the expert analysis provided by Snyk and KSOC in their respective blogs:

Red Hat advised inspecting Dockerfiles with the Run and WORKDIR directives to ensure they have no escapes or malicious paths. For those with Linux kernels supporting eBPF, Snyk has released a detector for the vulnerability, leaky-vessels-runtime-detector.

Get in control of your Application Security posture and Vulnerability management

Exploitation and analysis of CVE-2023-50164

No evidence of exploitation so far nonetheless, the major container house like AWS, Chainguard etc… are uploading clean images

PoC not found exploited in the wild: https://github.com/NitroCao/CVE-2024-21626

Several thread on X/ twitter are following the vulnerability and showing the exploit

How can ASPM Help

In the rapidly evolving field of application security, the ability to swiftly identify vulnerabilities across diverse environments, including containers and traditional virtual machines, is paramount. Advanced Security and Protection Mechanisms (ASPM) play a crucial role in this process by leveraging sophisticated scanning technologies and libraries designed for deep inspection. These mechanisms are engineered to detect vulnerabilities by analyzing the libraries and dependencies used within applications, regardless of the underlying infrastructure. ASPM tools integrate seamlessly with CI/CD pipelines, providing real-time feedback and ensuring that any security issues are identified at the earliest stage of development. Whether the application runs in a containerized environment, orchestrated by platforms like Docker or Kubernetes, or within a traditional virtual machine setup, ASPM facilitates a proactive approach to vulnerability management. This approach not only streamlines the security workflow but also significantly reduces the window of opportunity for attackers, enhancing the overall security posture of the application and protecting sensitive data from potential breaches.

Conclusion

The discovery of the “Leaky Vessels” vulnerabilities serves as a critical reminder of the inherent risks in containerized environments and the need for proactive vulnerability management and application security practices. By staying informed about potential vulnerabilities, applying timely updates, and employing comprehensive security strategies, organizations can navigate the choppy waters of container security and safeguard their applications against emerging threats.

How Phoenix Security Can Help

attack graph, phoenix security

Phoenix Security ASPM helps organizations identify and trace which systems have vulnerabilities, understanding the relation between code and cloud. One of the significant challenges in securing applications is knowing where and how frameworks like Struts are used. ASPM tools can scan the application portfolio to identify instances of Struts, mapping out where it is deployed across the organization. This information is crucial for targeted security measures and efficient patch management. Phoenix Security’s robust Application Security Posture Management (ASPM) system is adept at not just managing, but preempting the exploitation of vulnerabilities through its automated identification system. This system prioritises critical vulnerabilities, ensuring that teams can address the most pressing threats first, optimising resource allocation and remediation efforts.

Phoenix Security, Struts, Apache, Remote Code Execution, Cybersecurity, ASPM CVE-2017-5638, CVE-2023-50164

The Role of Application Security Posture Management (ASPM):

ASPM is vital in managing and securing applications like those built with Apache Struts. It involves continuous assessment, monitoring, and improvement of the security posture of applications. ASPM tools can:

  1. Identify and Track Struts Components: Locate where Struts is implemented within the application infrastructure.
  2. Vulnerability Management: Detect known vulnerabilities in Struts and prioritize them for remediation.
  3. Configuration Monitoring: Ensure Struts configurations adhere to best security practices.
  4. Compliance: Check if the usage of Struts aligns with relevant cybersecurity regulations and standards.
Phoenix Security, Struts, Apache, Remote Code Execution, Cybersecurity, ASPM CVE-2017-5638, CVE-2023-50164, phoenix security

By leveraging Phoenix Security, you not only unravel the potential threats but also take a significant stride in vulnerability management, ensuring your application security remains up to date and focuses on the key vulnerabilities.

Get in control of your Application Security posture and Vulnerability management

References

Previous Issues of Vulnerability Weekly


Other Useful resources

Data Visualization of vulnerabilities in the wild


Francesco is an internationally renowned public speaker, with multiple interviews in high-profile publications (eg. Forbes), and an author of numerous books and articles, who utilises his platform to evangelize the importance of Cloud security and cutting-edge technologies on a global scale.

Discuss this blog with our community on Slack

Join our AppSec Phoenix community on Slack to discuss this blog and other news with our professional security team

From our Blog

Phoenix Security’s Application Security Posture Management (ASPM) introduces Reachability Analysis and Contextual Deduplication to revolutionize vulnerability management. These features help security teams prioritize risks by correlating vulnerabilities from code to runtime, focusing on what’s exploitable. With contextual deduplication, Phoenix reduces vulnerability noise by up to 95%, ensuring only real threats are addressed. Stay ahead with 4D Risk Quantification, combining business criticality, network, and runtime reachability for smarter, more effective security.- Associate assets with multiple Applications and Environments – Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Alfonso Eusebio
Enhance your vulnerability management with Application Security Posture Management (ASPM) and reachability analysis. Discover how ASPM helps prioritize exploitable vulnerabilities, reduce security noise, and improve risk management. Learn about advanced techniques like code and container reachability, contextual deduplication, and Phoenix Security’s cutting-edge solutions for smarter, more effective application security.
Francesco Cipollone
Our latest article explores how EPSS (Exploit Prediction Scoring System) and reachability analysis work together within Application Security Posture Management (ASPM) to optimize vulnerability prioritization. EPSS predicts exploit likelihood based on global threat data, while reachability analysis assesses if vulnerabilities are accessible in your specific environment. ASPM platforms like Phoenix Security integrate these insights, contextualizing vulnerabilities within the software stack to ensure that teams focus on actionable, relevant risks. By combining EPSS’s predictive power with reachability’s contextual focus, ASPM provides a holistic view, enabling security teams to prioritize vulnerabilities based on global trends, local relevance, and business impact. This approach is especially effective for high-risk vulnerabilities like Remote Code Execution (RCE), where EPSS highlights potential threats and reachability analysis confirms their presence in the application path. Phoenix Security’s 4D risk formula further refines prioritization, considering severity, reachability, threat intelligence, and deployment context. This dual-layered strategy empowers organizations to strengthen security posture, minimize noise, and act on the vulnerabilities that truly matter.- Mapping of vulnerabilities to Installed Software – Find Assets/Vulns by Scanner – Detailed findings Location information Risk-based Posture Management – Risk and Risk Magnitude for Assets – Filter assets and vulnerabilities by source scanner Integrations – BurpSuite XML Import – Assessment Import API Other Improvements – Improved multi-selection in filters – New CVSS Score column in Vulnerabilities
Francesco Cipollone
Phoenix Security ASPM Version 3.30.0 Release – Phoenix Security has partnered with Arnica to deliver expanded cloud and application security capabilities, enhancing the platform with Software Composition Analysis (SCA), credential scanning, secrets detection, and Static Application Security Testing (SAST). This powerful integration further strengthens Phoenix Security’s ASPM offering, enabling seamless risk-based prioritization and real-time vulnerability management across GCP, AWS, and Azure environments.
Alfonso Eusebio
Derek

Derek Fisher

Head of product security at a global fintech

Derek Fisher – Head of product security at a global fintech. Speaker, instructor, and author in application security.

Derek is an award winning author of a children’s book series in cybersecurity as well as the author of “The Application Security Handbook.” He is a university instructor at Temple University where he teaches software development security to undergraduate and graduate students. He is a speaker on topics in the cybersecurity space and has led teams, large and small, at organizations in the healthcare and financial industries. He has built and matured information security teams as well as implemented organizational information security strategies to reduce the organizations risk.

Derek got his start in the hardware engineering space where he learned about designing circuits and building assemblies for commercial and military applications. He later pursued a computer science degree in order to advance a career in software development. This is where Derek was introduced to cybersecurity and soon caught the bug. He found a mentor to help him grow in cybersecurity and then pursued a graduate degree in the subject.

Since then Derek has worked in the product security space as an architect and leader. He has led teams to deliver more secure software in organizations from multiple industries. His focus has been to raise the security awareness of the engineering organization while maintaining a practice of secure code development, delivery, and operations.

In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

Jeevan Singh

Jeevan Singh

Founder of Manicode Security

Jeevan Singh is the Director of Security Engineering at Rippling, with a background spanning various Engineering and Security leadership roles over the course of his career. He’s dedicated to the integration of security practices into software development, working to create a security-aware culture within organizations and imparting security best practices to the team.
In his role, Jeevan handles a range of tasks, from architecting security solutions to collaborating with Engineering Leadership to address security vulnerabilities at scale and embed security into the fabric of the organization.

James

James Berthoty

Founder of Latio Tech

James Berthoty has over ten years of experience across product and security domains. He founded Latio Tech to help companies find the right security tools for their needs without vendor bias.

christophe

Christophe Parisel

Senior Cloud Security Architect

Senior Cloud Security Architect

Chris

Chris Romeo

Co-Founder
Security Journey

Chris Romeo is a leading voice and thinker in application security, threat modeling, and security champions and the CEO of Devici and General Partner at Kerr Ventures. Chris hosts the award-winning “Application Security Podcast,” “The Security Table,” and “The Threat Modeling Podcast” and is a highly rated industry speaker and trainer, featured at the RSA Conference, the AppSec Village @ DefCon, OWASP Global AppSec, ISC2 Security Congress, InfoSec World and All Day DevOps. Chris founded Security Journey, a security education company, leading to an exit in 2022. Chris was the Chief Security Advocate at Cisco, spreading security knowledge through education and champion programs. Chris has twenty-six years of security experience, holding positions across the gamut, including application security, security engineering, incident response, and various Executive roles. Chris holds the CISSP and CSSLP certifications.

jim

Jim Manico

Founder of Manicode Security

Jim Manico is the founder of Manicode Security, where he trains software developers on secure coding and security engineering. Jim is also the founder of Brakeman Security, Inc. and an investor/advisor for Signal Sciences. He is the author of Iron-Clad Java: Building Secure Web Applications (McGraw-Hill), a frequent speaker on secure software practices, and a member of the JavaOne Rockstar speaker community. Jim is also a volunteer for and former board member of the OWASP foundation.

Join our Mailing list!

Get all the latest news, exclusive deals, and feature updates.

The IKIGAI concept
x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
ShieldPRO