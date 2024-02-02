High-severity vulnerability, CVE-2024-21626, has been unearthed in runc, a widely used container runtime component of the Open Container Initiative software. This vulnerability is notable due to its potential for full container breakouts, made possible through a variety of exploit methods. The crux of the issue lies in an internal file descriptor leak, a significant flaw that persists despite the utilization of O_CLOEXEC to close file descriptors before running container code.

An Intricate Exploit

The leak occurs during setcwd(2), allowing the file descriptor to stay open and become susceptible to exploitation. The advisory draws attention to the non-dumpable bit being unset following execve(2), which opens up multiple attack vectors beyond merely poor configurations. One such intricate exploit involves execve(2) and calls for comprehensive fixes manipulating Go runtime internals.

Patches have been rolled out to mitigate these vulnerabilities and to augment hardening against similar issues in the future. These patches can be applied to runs version 1.1.11, and a subsequent release runs 1.1.12, incorporates these security improvements. The vulnerability has been assigned the highest severity rating of 8.6 on the CVSS scale, underscoring its critical nature.

Preventive Measures and Credits

Users are strongly encouraged to expedite patching their installations to counter any potential risks. The implementation of user namespaces and Linux Security Modules (LSMs) such as SELinux can moderate the impact of a container breakout but are not completely impervious. The vulnerability was initially reported by Rory McNamara from Snyk, with additional acknowledgments to Lifubang from Camcorder and Aleksa Sarai from SUSE for their significant contributions to comprehending and rectifying the problem. Security inquiries and issues are recommended to be directed to the provided contact points.