7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.0005 Low
EPSS
Percentile
15.7%
By crafting a malicious root filesystem (with /proc
being a symlink to a directory which was inside a volume shared with another running container), an attacker in control of both containers can trick runc
into not correctly configuring the container’s security labels and not correctly masking paths inside /proc
which contain potentially-sensitive information about the host (or even allow for direct attacks against the host).
In order to exploit this bug, an untrusted user must be able to spawn custom containers with custom mount configurations (such that a volume is shared between two containers). It should be noted that we consider this to be a fairly high level of access for an untrusted user – and we do not recommend allowing completely untrusted users to have such degrees of access without further restrictions.
github.com/opencontainers/runc/libcontainer
This vulnerability has been fixed in 1.0.0-rc10
. It should be noted that the current fix is effectively a hot-fix, and there are known ways for it to be worked around (such as making the entire root filesystem a shared volume controlled by another container). We recommend that users review their access policies to ensure that untrusted users do not have such high levels of controls over container mount configuration.
If you are not providing the ability for untrusted users to configure mountpoints for runc
(or through a higher-level tool such as docker run -v
) then you are not vulnerable to this issue. This exploit requires fairly complicated levels of access (which are available for some public clouds but are not necessarily available for all deployments).
Additionally, it appears as though it is not possible to exploit this vulnerability through Docker (due to the order of mounts Docker generates). However you should not depend on this, as it may be possible to work around this roadblock.
This vulnerability was discovered by Cure53, as part of a third-party security audit.
If you have any questions or comments about this advisory:
CPE | Name | Operator | Version |
---|---|---|---|
github.com/opencontainers/runc | lt | 1.0.0-rc9.0.20200122160610-2fc03cc11c77 |
lists.opensuse.org/opensuse-security-announce/2020-02/msg00018.html
access.redhat.com/errata/RHSA-2020:0688
access.redhat.com/errata/RHSA-2020:0695
github.com/opencontainers/runc/commit/2fc03cc11c775b7a8b2e48d7ee447cb9bef32ad0
github.com/opencontainers/runc/issues/2197
github.com/opencontainers/runc/pull/2190
github.com/opencontainers/runc/pull/2207
github.com/opencontainers/runc/releases
github.com/opencontainers/runc/security/advisories/GHSA-fh74-hm69-rqjw
lists.debian.org/debian-lts-announce/2023/03/msg00023.html
lists.fedoraproject.org/archives/list/[email protected]/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN
lists.fedoraproject.org/archives/list/[email protected]/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF
lists.fedoraproject.org/archives/list/[email protected]/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD
lists.fedoraproject.org/archives/list/[email protected]/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5
lists.fedoraproject.org/archives/list/[email protected]/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ
nvd.nist.gov/vuln/detail/CVE-2019-19921
pkg.go.dev/vuln/GO-2021-0087
security-tracker.debian.org/tracker/CVE-2019-19921
security.gentoo.org/glsa/202003-21
usn.ubuntu.com/4297-1
7 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
7 High
AI Score
Confidence
High
4.4 Medium
CVSS2
Access Vector
LOCAL
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:L/AC:M/Au:N/C:P/I:P/A:P
0.0005 Low
EPSS
Percentile
15.7%