CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
AI Score
Confidence
High
According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
Moby is an open-source project created by Docker to enable software containerization. The classic builder cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.(CVE-2024-24557)
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ('attack 2'). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ('attack 1'). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ('attack 3a' and 'attack 3b'). runc 1.1.12 includes patches for this issue.(CVE-2024-21626)
Tenable has extracted the preceding description block directly from the EulerOS docker-engine security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(202968);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/07/24");
script_cve_id("CVE-2024-21626", "CVE-2024-24557");
script_name(english:"EulerOS 2.0 SP8 : docker-engine (EulerOS-SA-2024-2024)");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the docker-engine packages installed, the EulerOS installation on the remote host is
affected by the following vulnerabilities :
Moby is an open-source project created by Docker to enable software containerization. The classic builder
cache system is prone to cache poisoning if the image is built FROM scratch. Also, changes to some
instructions (most important being HEALTHCHECK and ONBUILD) would not cause a cache miss. An attacker with
the knowledge of the Dockerfile someone is using could poison their cache by making them pull a specially
crafted image that would be considered as a valid cache candidate for some build steps. 23.0+ users are
only affected if they explicitly opted out of Buildkit (DOCKER_BUILDKIT=0 environment variable) or are
using the /build API endpoint. All users on versions older than 23.0 could be impacted. Image build API
endpoint (/build) and ImageBuild function from github.com/docker/docker/client is also affected as it the
uses classic builder by default. Patches are included in 24.0.9 and 25.0.2 releases.(CVE-2024-24557)
runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In
runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned
container process (from runc exec) to have a working directory in the host filesystem namespace, allowing
for a container escape by giving access to the host filesystem ('attack 2'). The same attack could be used
by a malicious image to allow a container process to gain access to the host filesystem through runc run
('attack 1'). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries,
allowing for complete container escapes ('attack 3a' and 'attack 3b'). runc 1.1.12 includes patches for
this issue.(CVE-2024-21626)
Tenable has extracted the preceding description block directly from the EulerOS docker-engine security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-2024
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8a462c4d");
script_set_attribute(attribute:"solution", value:
"Update the affected docker-engine packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-24557");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2024-21626");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'runc (docker) File Descriptor Leak Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/01");
script_set_attribute(attribute:"patch_publication_date", value:"2024/07/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/07/22");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:docker-engine");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:docker-engine-selinux");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(8)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP8", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("aarch64" >!< cpu) audit(AUDIT_ARCH_NOT, "aarch64", cpu);
var flag = 0;
var pkgs = [
"docker-engine-18.09.0.101-1.h71.28.24.eulerosv2r8",
"docker-engine-selinux-18.09.0.101-1.h71.28.24.eulerosv2r8"
];
foreach (var pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"8", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "docker-engine");
}