https://www.bleepingcomputer.com/news/security/leaky-vessels-flaws-allow-hackers-to-escape-docker-runc-containers/ BleepingComputer.com logo * * * * [ ] [Login] [Sign up] * * * * [ ] [Login] [Sign up] * News + Featured + Latest + FBI disrupts Chinese botnet by wiping malware from infected routers FBI disrupts Chinese botnet by wiping malware from infected routers + Ivanti warns of new Connect Secure zero-day exploited in attacks Ivanti warns of new Connect Secure zero-day exploited in attacks + Johnson Controls says ransomware attack cost $27 million, data stolen Johnson Controls says ransomware attack cost $27 million, data stolen + CISA warns of patched iPhone kernel bug now exploited in attacks CISA warns of patched iPhone kernel bug now exploited in attacks + Microsoft is bringing the Linux sudo command to Windows Server Microsoft is bringing the Linux sudo command to Windows Server + Leaky Vessels flaws allow hackers to escape Docker, runc containers Leaky Vessels flaws allow hackers to escape Docker, runc containers + Clorox says cyberattack caused $49 million in expenses Clorox says cyberattack caused $49 million in expenses + Check if you're in Google Chrome's third-party cookie phaseout test Check if you're in Google Chrome's third-party cookie phaseout test * Downloads + Latest + Most Downloaded + Qualys BrowserCheck Qualys BrowserCheck + STOPDecrypter STOPDecrypter + AuroraDecrypter AuroraDecrypter + FilesLockerDecrypter FilesLockerDecrypter + AdwCleaner AdwCleaner + ComboFix ComboFix + RKill RKill + Junkware Removal Tool Junkware Removal Tool * VPNs + Popular + Best VPNs Best VPNs + How to change IP address How to change IP address + Access the dark web safely Access the dark web safely + Best VPN for YouTube Best VPN for YouTube * Virus Removal Guides + Latest + Most Viewed + Ransomware + Remove the Theonlinesearch.com Search Redirect Remove the Theonlinesearch.com Search Redirect + Remove the Smartwebfinder.com Search Redirect Remove the Smartwebfinder.com Search Redirect + How to remove the PBlock+ adware browser extension How to remove the PBlock+ adware browser extension + Remove the Toksearches.xyz Search Redirect Remove the Toksearches.xyz Search Redirect + Remove Security Tool and SecurityTool (Uninstall Guide) Remove Security Tool and SecurityTool (Uninstall Guide) + How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo + How to remove Antivirus 2009 (Uninstall Instructions) How to remove Antivirus 2009 (Uninstall Instructions) + How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using TDSSKiller + Locky Ransomware Information, Help Guide, and FAQ Locky Ransomware Information, Help Guide, and FAQ + CryptoLocker Ransomware Information Guide and FAQ CryptoLocker Ransomware Information Guide and FAQ + CryptorBit and HowDecrypt Information Guide and FAQ CryptorBit and HowDecrypt Information Guide and FAQ + CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ * Tutorials + Latest + Popular + How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 + How to use the Windows Registry Editor How to use the Windows Registry Editor + How to backup and restore the Windows Registry How to backup and restore the Windows Registry + How to open a Windows 11 Command Prompt as Administrator How to open a Windows 11 Command Prompt as Administrator + How to start Windows in Safe Mode How to start Windows in Safe Mode + How to remove a Trojan, Virus, Worm, or other Malware How to remove a Trojan, Virus, Worm, or other Malware + How to show hidden files in Windows 7 How to show hidden files in Windows 7 + How to see hidden files in Windows How to see hidden files in Windows * Deals + Categories + eLearning eLearning + IT Certification Courses IT Certification Courses + Gear & Gadgets Gear + Gadgets + Security Security * Forums * More + Startup Database + Uninstall Database + Glossary + Chat on Discord + Send us a Tip! + Welcome Guide * Home * News * Security * Leaky Vessels flaws allow hackers to escape Docker, runc containers * * Leaky Vessels flaws allow hackers to escape Docker, runc containers By Bill Toulas * February 4, 2024 * 10:17 AM * 0 Malicious containers Four vulnerabilities collectively called "Leaky Vessels" allow hackers to escape containers and access data on the underlying host operating system. The flaws were discovered by Snyk security researcher Rory McNamara in November 2023, who reported them to impacted parties for fixing. Snyk has found no signs of active exploitation of the Leaky Vessels flaws in the wild, but the publicity could change the exploitation status, so all impacted system admins are recommended to apply the available security updates as soon as possible. Escaping containers Containers are applications packaged into a file that contains all the runtime dependencies, executables, and code required to run an application. These containers are executed by platforms like Docker and Kubernetes that run the application in a virtualized environment isolated from the operating system. Container escape occurs when an attacker or a malicious application breaks out of the isolated container environment and gains unauthorized access to the host system or other containers. Snyk team has found four vulnerabilities collectively called "Leaky Vessels" that impact the runc and Buildkit container infrastructure and build tools, potentially allowing attackers to perform container escape on various software products. Demonstration of Leaky Vessels exploit to access data on host Demonstration of Leaky Vessels exploit to access data on host Source: Snyk As runc or Buildkit are used by a wide range of popular container management software, such as Docker and Kubernetes, the exposure to attacks becomes far more significant. The Leaky Vessels flaws are summarized below: * CVE-2024-21626: Bug stemming from an order-of-operations flaw with the WORKDIR command in runc. It allows attackers to escape the isolated environment of the container, granting unauthorized access to the host operating system and potentially compromising the entire system. * CVE-2024-23651: A race condition within Buildkit's mount cache handling leading to unpredictable behavior, potentially allowing an attacker to manipulate the process for unauthorized access or to disrupt normal container operations. * CVE-2024-23652: Flaw allowing arbitrary deletion of files or directories during Buildkit's container teardown phase. It could lead to denial of service, data corruption, or unauthorized data manipulation. * CVE-2024-23653: This vulnerability arises from inadequate privilege checks in Buildkit's GRPC interface. It could permit attackers to execute actions beyond their permissions, leading to privilege escalation or unauthorized access to sensitive data. Impact and remediation Buildkit and runc are widely used by popular projects like Docker and multiple Linux distributions. Due to this, the patching of the "Leaky Vessels" vulnerabilities involved coordinated actions among the security research team at Snyk, the maintainers of the affected components (runc and BuildKit), and the broader container infrastructure community. On January 31, 2024, Buildkit fixed the flaws with version 0.12.5, and runc addressed the security issue impacting it on version 1.1.12. Docker released version 4.27.0 on the same day, incorporating the secured versions of the components in its Moby engine, with versions 25.0.1 and 24.0.8. Amazon Web Services, Google Cloud, and Ubuntu also published relevant security bulletins, guiding users through the appropriate steps to resolve the flaws in their software and services. Finally, CISA also published an alert urging cloud system admins to take the appropriate action to secure their systems from potential exploitation. Related Articles: Docker hosts hacked in ongoing website traffic theft scheme Mastodon vulnerability allows attackers to take over accounts New 'Looney Tunables' Linux bug gives root on major distros 45k Jenkins servers exposed to RCE attacks using public exploits Hackers target WordPress database plugin active on 1 million sites * Cloud * Container * Container Escape * Docker * Leaky Vessels * Vulnerability * * * * * Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. * Previous Article * Next Article Post a Comment Community Rules You need to login in order to post a comment [Login] Not a member yet? Register Now You may also like: [INS::INS] Popular Stories * AnyDesk AnyDesk says hackers breached its production servers, reset passwords * Hacker Screens Interpol operation Synergia takes down 1,300 servers used for cybercrime Follow us: * * * * * Main Sections * News * VPN Buyer Guides * Downloads * Virus Removal Guides * Tutorials * Startup Database * Uninstall Database * Glossary Community * Forums * Forum Rules * Chat Useful Resources * Welcome Guide * Sitemap Company * About BleepingComputer * Contact Us * Send us a Tip! * Advertising * Write for BleepingComputer * Social & Feeds * Changelog Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2024 Bleeping Computer^(r) LLC - All Rights Reserved Login Username [ ] Password [ ] [*] Remember Me [ ] Sign in anonymously [Login] Sign in with Twitter button Sign in with Twitter --------------------------------------------------------------------- Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? * ( )Spam * ( )Abusive or Harmful * ( )Inappropriate content * ( )Strong language * ( )Other [ ] * [ ] Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT