Lucene search

K

Amazon Linux 2 : runc (ALASDOCKER-2024-047)

Amazon Linux 2 runc (ALASDOCKER-2024-047) vulnerabilit

Show more
Related
Refs
Code
ReporterTitlePublishedViews
Family
OSV
CGA-7232-xmqv-f27r
6 Sep 202411:04
osv
OSV
CGA-868p-3h5j-r4j8
25 Sep 202405:16
osv
OSV
CGA-82cw-7hh2-2c38
25 Sep 202405:16
osv
OSV
CGA-gvcg-8xj5-286f
6 Sep 202412:04
osv
OSV
CGA-jjfg-268g-75hh
25 Sep 202405:27
osv
OSV
CGA-v3g7-gmqg-m2m5
25 Sep 202405:34
osv
OSV
CGA-g75c-9528-5gwq
25 Sep 202405:23
osv
OSV
UBUNTU-CVE-2024-45310
3 Sep 202419:15
osv
OSV
CGA-p579-326g-hgv3
25 Sep 202405:29
osv
OSV
CGA-gfpc-379f-6293
25 Sep 202405:23
osv
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALASDOCKER-2024-047.
##

include('compat.inc');

if (description)
{
  script_id(209065);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/10/15");

  script_cve_id("CVE-2024-45310");

  script_name(english:"Amazon Linux 2 : runc (ALASDOCKER-2024-047)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of runc installed on the remote host is prior to 1.1.14-1. It is, therefore, affected by a vulnerability as
referenced in the ALAS2DOCKER-2024-047 advisory.

    runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and
    earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in
    arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a
    race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be
    truncated. An attacker must have the ability to start containers using some kind of custom volume
    configuration. Containers using user namespaces are still affected, but the scope of places an attacker
    can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can
    also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this
    attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc
    directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.

    Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that
    the attacker can only create inodes in directories that the remapped root user/group has write access to.
    Unless the root user is remapped to an actualuser on the host (such as with rootless containers that don't
    use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in
    world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict
    the scope if a specific label is applied to the runc runtime, though neither the extent to which the
    standard existing policies block this attack nor what exact policies are needed to sufficiently restrict
    this attack have been thoroughly tested. (CVE-2024-45310)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALASDOCKER-2024-047.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2024-45310.html");
  script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
  script_set_attribute(attribute:"solution", value:
"Run 'yum update runc' to update your system.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-45310");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/09/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/10/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/10/15");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:runc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:runc-debuginfo");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Amazon Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var pkgs = [
    {'reference':'runc-1.1.14-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'runc-1.1.14-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'runc-debuginfo-1.1.14-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'runc-debuginfo-1.1.14-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  var cves = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
  if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
    if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_NOTE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "runc / runc-debuginfo");
}

Transform Your Security Services

Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.

Book a live demo