Data at Risk: ‘Leaky Vessels’ Vulnerabilities Threaten Container Security

The company Snyk has identified four vulnerabilities in virtualization systems collectively dubbed Leaky Vessels. These flaws enable malefactors to breach the confines of isolated containers and access data on the host operating system.

Containers encapsulate applications with all necessary dependencies, executables, and code for operation, running in a virtualized environment separate from the operating system. Container escape vulnerabilities occur when an attacker or malicious application circumvents this isolation, gaining unauthorized access to the host system or other containers.

These vulnerabilities affect the container infrastructure and build tools runc and Buildkit, potentially allowing attackers to execute container escape attacks on various software products. Given the widespread use of runc and Buildkit in popular container management software like Docker and Kubernetes, the risk of attacks is significantly heightened.

Leaky Vessels

Leaky Vessels vulnerabilities include:

  • CVE-2024-21626 (CVSS score: 8.6): A flaw in runc’s command execution order, allowing a hacker to exit the container’s isolated environment and gain unauthorized access to the host operating system.
  • CVE-2024-23651 (CVSS score: 8.7): A race condition in Buildkit’s mount cache processing, leading to unpredictable behavior and potentially enabling an attacker to manipulate the process for unauthorized access.
  • CVE-2024-23652 (CVSS score: 10.0): A vulnerability allowing arbitrary deletion of files or directories during Buildkit’s container disassembly phase, potentially leading to service denial, data corruption, or unauthorized data manipulation.
  • CVE-2024-23653 (CVSS score: 9.8): A vulnerability arising from insufficient privilege verification in Buildkit’s GRPC interface, enabling a cybercriminal to perform actions beyond their permissions, leading to privilege escalation or unauthorized access to confidential data.

On January 31, 2024, Buildkit released vulnerability fixes in version 0.12.5, and runc addressed security issues in version 1.1.12. Docker also released version 4.27.0, including secure versions of components in its Moby engine.

Amazon Web Services (AWS), Google Cloud, and Ubuntu have published relevant security bulletins, recommending steps to mitigate vulnerabilities in software and services. The CISA agency also issued a warning, urging cloud system administrators to take appropriate measures to protect their systems from potential exploitation.