January 31, 2024 at 05:27PM
Researchers uncovered four vulnerabilities in container engine components called “Leaky Vessels,” with one impacting runC and three impacting BuildKit in Docker environments. The most urgent vulnerability, CVE-2024-21626, enables container escape, potentially compromising host systems. Snyk advises updating affected components promptly. Container vulnerabilities are increasingly concerning, with high-profile cases indicating inadequate attention to security.
Key Takeaways from the Meeting Notes:
1. Four vulnerabilities in container engine components have been uncovered, with three of them enabling attackers to break out of containers and execute malicious actions on the underlying host system.
2. The most urgent vulnerability (CVE-2024-21626) affects runC, the lightweight container runtime for Docker and other container environments, with a severity score of 8.6 out of 10 on the CVSS scale.
3. The vulnerabilities impact Docker’s default container image building toolkit, BuildKit, with one involving a race condition, another affecting the security model in BuildKit’s remote procedure call protocol, and the third being an arbitrary host file delete flaw.
4. Organizations have been advised to check for updates from vendors providing their container runtime environments and to upgrade to fixed versions as soon as they are available.
5. Container vulnerabilities are a growing problem for enterprise organizations, with a high percentage of vulnerabilities found in container images in production. This trend has caused a change in perceptions around container security, with some respondents stating that containerization has made their application environment less secure.
6. The discovered vulnerabilities are relatively simple to exploit, typically involving less than a 30-line Dockerfile, but they have high access requirements. Attackers would need to be able to run an arbitrary container on the target, build an arbitrary container on the target, or compromise an upstream container or cause a victim system to use a controlled upstream container.
Overall, the “Leaky Vessels” vulnerabilities pose a significant security risk for organizations using containerization and require prompt attention and action to minimize potential exploitation by malicious actors.