Leaky Vessels – Docker and runc Container Breakouts

by Srinidhi Vadrevu | February 12, 2024

Recently Synk annnounced the discovery of four vulnerabilities in Kubernetes and Docker. These new set of vulnerabilities, together known as Leaky Vessels, poses significant risk in the containerized environments. About Leaky Vessels vulnerabilities The Leaky Vessels vulnerabilities refer to a series of security flaws found in the container runtime environment, specifically within runc, a popular open-source […]

Reading Time: 2 minutes

Recently Synk annnounced the discovery of four vulnerabilities in Kubernetes and Docker. These new set of vulnerabilities, together known as Leaky Vessels, poses significant risk in the containerized environments.

About Leaky Vessels vulnerabilities

The Leaky Vessels vulnerabilities refer to a series of security flaws found in the container runtime environment, specifically within runc, a popular open-source container runtime used by Docker and Kubernetes. The vulnerabilities are associated with runC command line tool and BuildKit, allow for container escapes, enabling an attacker who has gained access to a container to execute arbitrary code on the host machine, thereby compromising the entire system.

Mitigation (But is it really enough?)

With Accuknox, you can locate the assets which has the below CVEs through our Vulnerabilities page and follow the solution as suggested below.
Upgrade all the workloads to the below versions:

  • CVE-2024-21626 has been patched in runC v1.1.12
  • CVE-2024-23651, CVE-2024-23652 and CVE-2024-23653 have been patched in BuildKit v0.12.5.

Prevention using Accuknox

Do you know our solution also has in-built capability to stop the exploit to even occur?

Just patching the vulnerability might not be enough with the multi‑layered infrastructure security challenges that comes in with containerized environments, continues monitoring of the event and real‑time behavioral insights play a crucial role. We all know, patching takes time and meanwhile organizations cannot risk of compromising their systems.

With Accuknox, you can do in-line mitigation stopping the attack from having to occur along with monitoring the continuous real-time alerts.

Accuknox can do much more than just providing remediation solutions. To understand how Accuknox can stop these exploits from even occurring, let’s dig deep and understand how one of the CVE can be stopped from being exploited using Accuknox Hardening policy.

Breakdown

CVE-2024-23652 :

In a successful attack, an arbitrary Dockerfile-defined target file inside the host filesystem will be deleted. As Buildkit is generally running with root privileges, this can allow for the deletion of any file in the host filesystem.

With Accuknox hardening policies in place, a process with root privileges cannot perform any operations other than read. This way you are already alerted about the event and you can configure enforcing the policy to trigger in-line mitigation.

Ref : Kubearmour policy

apiVersion: security.kubearmor.com/v1
kind: KubeArmorPolicy
metadata:
  annotations:
    app.accuknox.com/source: Discovery Engine
    app.accuknox.com/type: harden
  name: harden-ubuntu-2-deployment-write-etc-dir
  namespace: multiubuntu
spec:
  action: Block
  file:
    matchDirectories:
    - dir: /etc/
      readOnly: true
      recursive: true
  message: Alert! File creation under /etc/ directory detected.
  selector:
    matchLabels:
      container: ubuntu-2
      group: group-1
  severity: 5

Accuknox Hardening Policy

Event blocked by Accuknox

Similarly, With the help of our default hardening rules, other CVEs (CVE-2024-21626,CVE-2024-23651, CVE-2024-23653) related to leaky vessels are monitored for the necessary conditions and an audit event is generated on the CNAPP interface. You can also configure the policy to do an in-line mitigation until the systems are upgraded.

Conclusion

Since AccuKnox helps to achieve least permissive posture in the containers through auto-generated policies, these  container escapes such as leaky vessel should not have been allowed by default. Thus protecting your application despite of the fact that there was a fix available or not.

You cannot secure what you cannot see.

Your most sensitive information is stored on endpoints and in the cloud. Protect what is most important from cyberattacks. Real-time autonomous protection for your network's edges.

Ready to get started?

BOOK A DEMO