Amazon Linux 2 runc (ALASDOCKER-2024-047) vulnerabilit
Reporter | Title | Published | Views | Family All 59 |
---|---|---|---|---|
OSV | CGA-7232-xmqv-f27r | 6 Sep 202411:04 | – | osv |
OSV | CGA-868p-3h5j-r4j8 | 25 Sep 202405:16 | – | osv |
OSV | CGA-82cw-7hh2-2c38 | 25 Sep 202405:16 | – | osv |
OSV | CGA-gvcg-8xj5-286f | 6 Sep 202412:04 | – | osv |
OSV | CGA-jjfg-268g-75hh | 25 Sep 202405:27 | – | osv |
OSV | CGA-v3g7-gmqg-m2m5 | 25 Sep 202405:34 | – | osv |
OSV | CGA-g75c-9528-5gwq | 25 Sep 202405:23 | – | osv |
OSV | UBUNTU-CVE-2024-45310 | 3 Sep 202419:15 | – | osv |
OSV | CGA-p579-326g-hgv3 | 25 Sep 202405:29 | – | osv |
OSV | CGA-gfpc-379f-6293 | 25 Sep 202405:23 | – | osv |
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux 2 Security Advisory ALASDOCKER-2024-047.
##
include('compat.inc');
if (description)
{
script_id(209065);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/10/15");
script_cve_id("CVE-2024-45310");
script_name(english:"Amazon Linux 2 : runc (ALASDOCKER-2024-047)");
script_set_attribute(attribute:"synopsis", value:
"The remote Amazon Linux 2 host is missing a security update.");
script_set_attribute(attribute:"description", value:
"The version of runc installed on the remote host is prior to 1.1.14-1. It is, therefore, affected by a vulnerability as
referenced in the ALAS2DOCKER-2024-047 advisory.
runc is a CLI tool for spawning and running containers according to the OCI specification. runc 1.1.13 and
earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in
arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a
race with `os.MkdirAll`. While this could be used to create empty files, existing files would not be
truncated. An attacker must have the ability to start containers using some kind of custom volume
configuration. Containers using user namespaces are still affected, but the scope of places an attacker
can create inodes can be significantly reduced. Sufficiently strict LSM policies (SELinux/Apparmor) can
also in principle block this attack -- we suspect the industry standard SELinux policy may restrict this
attack's scope but the exact scope of protection hasn't been analysed. This is exploitable using runc
directly as well as through Docker and Kubernetes. The issue is fixed in runc v1.1.14 and v1.2.0-rc3.
Some workarounds are available. Using user namespaces restricts this attack fairly significantly such that
the attacker can only create inodes in directories that the remapped root user/group has write access to.
Unless the root user is remapped to an actualuser on the host (such as with rootless containers that don't
use `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in
world-writable directories. A strict enough SELinux or AppArmor policy could in principle also restrict
the scope if a specific label is applied to the runc runtime, though neither the extent to which the
standard existing policies block this attack nor what exact policies are needed to sufficiently restrict
this attack have been thoroughly tested. (CVE-2024-45310)
Tenable has extracted the preceding description block directly from the tested product security advisory.
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/AL2/ALASDOCKER-2024-047.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/cve/html/CVE-2024-45310.html");
script_set_attribute(attribute:"see_also", value:"https://alas.aws.amazon.com/faqs.html");
script_set_attribute(attribute:"solution", value:
"Run 'yum update runc' to update your system.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-45310");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/09/03");
script_set_attribute(attribute:"patch_publication_date", value:"2024/10/10");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/10/15");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:runc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:runc-debuginfo");
script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux:2");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Amazon Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var alas_release = get_kb_item("Host/AmazonLinux/release");
if (isnull(alas_release) || !strlen(alas_release)) audit(AUDIT_OS_NOT, "Amazon Linux");
var os_ver = pregmatch(pattern: "^AL(A|\d+|-\d+)", string:alas_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "2")
{
if (os_ver == 'A') os_ver = 'AMI';
audit(AUDIT_OS_NOT, "Amazon Linux 2", "Amazon Linux " + os_ver);
}
if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var pkgs = [
{'reference':'runc-1.1.14-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'runc-1.1.14-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'runc-debuginfo-1.1.14-1.amzn2', 'cpu':'aarch64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE},
{'reference':'runc-debuginfo-1.1.14-1.amzn2', 'cpu':'x86_64', 'release':'AL2', 'rpm_spec_vers_cmp':TRUE}
];
var flag = 0;
foreach var package_array ( pkgs ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
var cves = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (!empty_or_null(package_array['cves'])) cves = package_array['cves'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_NOTE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "runc / runc-debuginfo");
}
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. Contact us for a demo and discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo