Snyk found 4 vulnerabilities in virtualization systems that received the total name Leaky Vessels. Disadvantages allow the attacker to go beyond the limits of isolated containers and gain access to data in the host operating system.
Containers are applications packed to the file along with all the dependencies, executed files, and the code necessary to launch them. They are performed on platforms like Docker and Kubernetes in a virtualized environment isolated from the operating system. The vulnerability of the exit from the container (Container Escape) occurs when an attacking or harmful application overcomes the isolation of the environment and receives unauthorized access to the host system or other containers.
The detected vulnerabilities affect the infrastructure and instruments of assembly of RUNC and Buildkit containers, which potentially allows the attacking attacks the type of “exit from the container” to various software products. Since RUNC and Buildkit are used in a wide range of popular containers management programs, such as Docker and Kubernetes, the risk of attacks increases significantly.
Demonstration of the use of Leaky Vessels for access to data on the host
Leaky Vessels vulnerabilities include the following:
- cve-2024-21626 (CVSS: 8.6): error related to the order Fulfillment of the Workdir command in RUNC, allowing the hacker to go beyond the isolated environment of the container and get unauthorized access to the host operating system.
- cve-2024-23651 (CVSS: 8.7): Race Condition when processing Buildkit mounting cache, which leads to unpredictable behavior and potentially allowing the attacking process to obtain unauthorized access.
- cve-2024-23652 (estimate of CVSS: 10.0): vulnerability, allowing