A security researcher from Snyk Security Labs has identified a series of vulnerabilities that allow attackers to escape from a container environment and access the underlying host system. It is said in a blog post by Snyk that this could potentially grant access to sensitive data such as login or customer information, as well as enable the execution of further attacks.
The vulnerabilities, grouped under the name Leaky Vessels, were apparently discovered as early as November 2023. One of the vulnerabilities (CVE-2024-21626) relates to the CLI tool runc (up to version 1.1.11), which is used to create and execute containers in Linux. The severity is rated as high with a CVSS score of 8.6.
The other three vulnerabilities (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653) are attributed to the toolkit Buildkit (up to version 0.12.4), used for example by the widely-used container virtualization solution Docker. These vulnerabilities range in CVSS scores from 8.7 up to the maximum severity of 10, indicating a high to critical severity level.
Patches have since been made available, with the vulnerabilities being addressed on January 31, 2024, with runc version 1.1.12 and Buildkit version 0.12.5. Relevant information regarding these patches can also be found with Docker, AWS, Ubuntu, and Google Cloud. Snyk strongly recommends users to diligently seek out updates for their container solutions and apply them as soon as possible.
“It is likely that you will need to update your Docker daemons and Kubernetes deployments, as well as any container build tools you use in CI/CD pipelines, on build servers, and on your developers’ workstations,” the company stated. Additionally, it’s crucial to inspect existing containers for potential compromise.
Tools for detecting misuse Snyk has provided two tools via Github intended to assist administrators in detection, emphasizing, however, that these tools do not rectify the vulnerabilities or prevent their exploitation. One of these tools is called the Leaky Vessels Dynamic Detector, which aims to detect exploitation attempts at runtime by searching for characteristic patterns associated with the vulnerabilities.
The second tool is named the Leaky Vessels Static Detector. “It scans Docker files and image layers to identify commands that appear to be attempting to exploit the vulnerabilities,” Snyk stated. However, it’s important to manually verify the findings afterward. Both tools are likely to produce some false negatives and false positives.