Leaky Vessels – Docker and runc Container Breakouts
Recently Synk annnounced the discovery of four vulnerabilities in Kubernetes and Docker. These new set of vulnerabilities, together known as Leaky Vessels, poses significant risk in the containerized environments. About Leaky Vessels vulnerabilities The Leaky Vessels vulnerabilities refer to a series of security flaws found in the container runtime environment, specifically within runc, a popular open-source […]
Reading Time: 2 minutes
Recently Synk annnounced the discovery of four vulnerabilities in Kubernetes and Docker. These new set of vulnerabilities, together known as Leaky Vessels, poses significant risk in the containerized environments.
- CVE-2024-21626: CVSS – High, 8.6
- CVE-2024-23651: CVSS – High, 8.7
- CVE-2024-23652: CVSS – Critical, 10
- CVE-2024-23653: CVSS – Critical, 9.8
About Leaky Vessels vulnerabilities
The Leaky Vessels vulnerabilities refer to a series of security flaws found in the container runtime environment, specifically within runc, a popular open-source container runtime used by Docker and Kubernetes. The vulnerabilities are associated with runC command line tool and BuildKit, allow for container escapes, enabling an attacker who has gained access to a container to execute arbitrary code on the host machine, thereby compromising the entire system.
Mitigation (But is it really enough?)
With Accuknox, you can locate the assets which has the below CVEs through our Vulnerabilities page and follow the solution as suggested below.
Upgrade all the workloads to the below versions:
- CVE-2024-21626 has been patched in runC
- CVE-2024-23651, CVE-2024-23652 and CVE-2024-23653 have been patched in BuildKit
Prevention using Accuknox
Do you know our solution also has in-built capability to stop the exploit to even occur?
Just patching the vulnerability might not be enough with the multi‑layered infrastructure security challenges that comes in with containerized environments, continues monitoring of the event and real‑time behavioral insights play a crucial role. We all know, patching takes time and meanwhile organizations cannot risk of compromising their systems.
With Accuknox, you can do in-line mitigation stopping the attack from having to occur along with monitoring the continuous real-time alerts.
Accuknox can do much more than just providing remediation solutions. To understand how Accuknox can stop these exploits from even occurring, let’s dig deep and understand how one of the CVE can be stopped from being exploited using Accuknox Hardening policy.
In a successful attack, an arbitrary Dockerfile-defined target file inside the host filesystem will be deleted. As Buildkit is generally running with root privileges, this can allow for the deletion of any file in the host filesystem.
With Accuknox hardening policies in place, a process with root privileges cannot perform any operations other than read. This way you are already alerted about the event and you can configure enforcing the policy to trigger in-line mitigation.
Ref : Kubearmour policy
apiVersion: security.kubearmor.com/v1 kind: KubeArmorPolicy metadata: annotations: app.accuknox.com/source: Discovery Engine app.accuknox.com/type: harden name: harden-ubuntu-2-deployment-write-etc-dir namespace: multiubuntu spec: action: Block file: matchDirectories: - dir: /etc/ readOnly: true recursive: true message: Alert! File creation under /etc/ directory detected. selector: matchLabels: container: ubuntu-2 group: group-1 severity: 5
Accuknox Hardening Policy
Event blocked by Accuknox
Similarly, With the help of our default hardening rules, other CVEs (CVE-2024-21626,CVE-2024-23651, CVE-2024-23653) related to leaky vessels are monitored for the necessary conditions and an audit event is generated on the CNAPP interface. You can also configure the policy to do an in-line mitigation until the systems are upgraded.
Since AccuKnox helps to achieve least permissive posture in the containers through auto-generated policies, these container escapes such as leaky vessel should not have been allowed by default. Thus protecting your application despite of the fact that there was a fix available or not.
Must read articles
- Zero Trust (ZT) – The Future of Cloud Security
- Zero Trust (ZT) Architecture, Framework and Model
- Cloud Security Governance, Risk and Compliance (GRC)
- How to Pick the Right CNAPP (Cloud Native Application Protection Platform) Vendor
- What is Driving the Need for CSPM (Cloud Security Posture Management)
- Agent vs Agentless Multi Cloud Security
You cannot secure what you cannot see.
Your most sensitive information is stored on endpoints and in the cloud. Protect what is most important from cyberattacks. Real-time autonomous protection for your network's edges.