The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3735 advisory.
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the C
portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. (CVE-2021-43784)
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (attack 2). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (attack 1). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (attack 3a and attack 3b). runc 1.1.12 includes patches for this issue. (CVE-2024-21626)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dla-3735. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#
include('compat.inc');
if (description)
{
script_id(190686);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/20");
script_cve_id("CVE-2021-43784", "CVE-2024-21626");
script_xref(name:"IAVA", value:"2024-A-0071");
script_name(english:"Debian dla-3735 : golang-github-opencontainers-runc-dev - security update");
script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
script_set_attribute(attribute:"description", value:
"The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dla-3735 advisory.
- runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In
runc, netlink is used internally as a serialization system for specifying the relevant container
configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In
all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in
the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte
array attribute could result in the length overflowing and the attribute contents being parsed as netlink
messages for container configuration. This vulnerability requires the attacker to have some control over
the configuration of the container and would allow the attacker to bypass the namespace restrictions of
the container by simply adding their own netlink payload which disables all namespaces. The main users
impacted are those who allow untrusted images with untrusted configurations to run on their machines (such
as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one
may try disallowing untrusted namespace paths from your container. It should be noted that untrusted
namespace paths would allow the attacker to disable namespace protections entirely even in the absence of
this bug. (CVE-2021-43784)
- runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In
runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned
container process (from runc exec) to have a working directory in the host filesystem namespace, allowing
for a container escape by giving access to the host filesystem (attack 2). The same attack could be used
by a malicious image to allow a container process to gain access to the host filesystem through runc run
(attack 1). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries,
allowing for complete container escapes (attack 3a and attack 3b). runc 1.1.12 includes patches for
this issue. (CVE-2024-21626)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/runc");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-43784");
script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2024-21626");
script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/buster/runc");
script_set_attribute(attribute:"solution", value:
"Upgrade the golang-github-opencontainers-runc-dev packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-43784");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-21626");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'runc (docker) File Descriptor Leak Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/12/06");
script_set_attribute(attribute:"patch_publication_date", value:"2024/02/19");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/02/19");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:golang-github-opencontainers-runc-dev");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:runc");
script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:10.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Debian Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
exit(0);
}
include('debian_package.inc');
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
var debian_release = get_kb_item('Host/Debian/release');
if ( isnull(debian_release) ) audit(AUDIT_OS_NOT, 'Debian');
debian_release = chomp(debian_release);
if (! preg(pattern:"^(10)\.[0-9]+", string:debian_release)) audit(AUDIT_OS_NOT, 'Debian 10.0', 'Debian ' + debian_release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);
var pkgs = [
{'release': '10.0', 'prefix': 'golang-github-opencontainers-runc-dev', 'reference': '1.0.0~rc6+dfsg1-3+deb10u3'},
{'release': '10.0', 'prefix': 'runc', 'reference': '1.0.0~rc6+dfsg1-3+deb10u3'}
];
var flag = 0;
foreach package_array ( pkgs ) {
var _release = NULL;
var prefix = NULL;
var reference = NULL;
if (!empty_or_null(package_array['release'])) _release = package_array['release'];
if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (_release && prefix && reference) {
if (deb_check(release:_release, prefix:prefix, reference:reference)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : deb_report_get()
);
exit(0);
}
else
{
var tested = deb_pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'golang-github-opencontainers-runc-dev / runc');
}
Vendor | Product | Version | CPE |
---|---|---|---|
debian | debian_linux | golang-github-opencontainers-runc-dev | p-cpe:/a:debian:debian_linux:golang-github-opencontainers-runc-dev |
debian | debian_linux | runc | p-cpe:/a:debian:debian_linux:runc |
debian | debian_linux | 10.0 | cpe:/o:debian:debian_linux:10.0 |