Lucene search
K

EulerOS 2.0 SP10 : docker-runc (EulerOS-SA-2024-2902)

🗓️ 08 Nov 2024 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 8 Views

EulerOS 2.0 SP10 docker-runc has vulnerabilities allowing arbitrary file creation in host filesystem.

Related
Refs
Code
ReporterTitlePublishedViews
Family
IBM Security Bulletins
Security Bulletin: IBM InfoSphere Information Server is affected by a vulnerability in Open Container Initiative runc (CVE-2024-45310)
28 Mar 202520:20
ibm
IBM Security Bulletins
Security Bulletin: Arbitrary File and Directory Creation via Volume Sharing Race Condition in runc , affects watsonx.data
11 Sep 202509:01
ibm
IBM Security Bulletins
Security Bulletin: Additional security vulnerabilities are addressed with IBM Cloud Pak for Business Automation iFixes for April 2025.
3 May 202505:54
ibm
IBM Security Bulletins
Security Bulletin: IBM MQ Operator and Queue manager container images are vulnerable to gcc, github.com/opencontainers/runc and github.com/containers/common (CVE-2024-45310, CVE-2020-11023, CVE-2024-9341)
25 Mar 202512:50
ibm
IBM Security Bulletins
Security Bulletin: Multiple security vulnerabilities in Go affects IBM Robotic Process Automation for Cloud Pak
9 Jun 202519:01
ibm
IBM Security Bulletins
Security Bulletin: security vulnerabilities are addressed with IBM Business Automation Insights iFixes for May 2026.
1 Jun 202610:46
ibm
IBM Security Bulletins
Security Bulletin: Multiple Vulnerabilities in IBM CloudPak for AIOps
26 Mar 202518:21
ibm
IBM Security Bulletins
Security Bulletin: Red Hat OpenShift on IBM Cloud is affected by a runc security vulnerability (CVE-2024-45310)
15 Apr 202503:02
ibm
IBM Security Bulletins
Security Bulletin: Multiple security vulnerabilities are addressed with Cloud Pak foundational services 4.18.0 shipped with IBM Cloud Pak for Business Automation iFixes for June 2026
29 Jun 202610:11
ibm
IBM Security Bulletins
Security Bulletin: Multiple vulnerabilities affect IBM Db2® on Cloud Pak for Data, and Db2 Warehouse on Cloud Pak for Data
18 May 202613:36
ibm
Rows per page
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(210640);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/11/08");

  script_cve_id("CVE-2024-45310");

  script_name(english:"EulerOS 2.0 SP10 : docker-runc (EulerOS-SA-2024-2902)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing a security update.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the docker-runc package installed, the EulerOS installation on the remote host is affected
by the following vulnerabilities :

    runc is a CLI tool for spawning and running containers according to the OCI specification.runc 1.1.13 and
    earlier, as well as 1.2.0-rc2 and earlier, can be tricked into creating empty files or directories in
    arbitrary locations in the host filesystem by sharing a volume between two containers and exploiting a
    race with `os.MkdirAll`.While this could be used to create empty files, existing files would not be
    truncated.An attacker must have the ability to start containers using some kind of custom volume
    configuration.Containers using user namespaces are still affected, but the scope of places an attacker can
    create inodes can be significantly reduced.Sufficiently strict LSM policies (SELinux/Apparmor) can also in
    principle block this attack -- we suspect the industry standard SELinux policy may restrict this attack's
    scope but the exact scope of protection hasn't been analysed.This is exploitable using runc directly as
    well as through Docker and Kubernetes.The issue is fixed in runc v1.1.14 and v1.2.0-rc3. Some workarounds
    are available.Using user namespaces restricts this attack fairly significantly such that the attacker can
    only create inodes in directories that the remapped root user/group has write access to.Unless the root
    user is remapped to an actual user on the host (such as with rootless containers that don't use
    `/etc/sub[ug]id`), this in practice means that an attacker would only be able to create inodes in world-
    writable directories.A strict enough SELinux or AppArmor policy could in principle also restrict the scope
    if a specific label is applied to the runc runtime, though neither the extent to which the standard
    existing policies block this attack nor what exact policies are needed to sufficiently restrict this
    attack have been thoroughly tested.(CVE-2024-45310)

Tenable has extracted the preceding description block directly from the EulerOS docker-runc security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2024-2902
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1cfd1b0c");
  script_set_attribute(attribute:"solution", value:
"Update the affected docker-runc packages.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2024-45310");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/09/03");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/11/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/11/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:docker-runc-1.0.0.rc3");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

var _release = get_kb_item("Host/EulerOS/release");
if (isnull(_release) || _release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
var uvp = get_kb_item("Host/EulerOS/uvp_version");
if (_release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10");

var sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(10)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10");

if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP10", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu && "x86" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "x86" >!< cpu) audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

var flag = 0;

var pkgs = [
  "docker-runc-1.0.0.rc3-200.h24.eulerosv2r10"
];

foreach (var pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"10", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_NOTE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "docker-runc");
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

08 Nov 2024 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 3.13.6
EPSS0.00317
SSVC
8