'Leaky Vessels' flaws in multiple container engines expose host OS access
Take action: If you are running Docker on any of your computers, or a self-managed Kubernetes cluster, update it. Someone will create a malicious docker image soon enough. And updating Docker at least is easy.
Learn More
Security researchers have identified a collection of vulnerabilities within Docker's ecosystem, significantly affecting container security across various implementations. These vulnerabilities have been collectively named "Leaky Vessels" and consist of four distinct flaws that could potentially allow attackers to escape Docker containers and execute unauthorized actions on the host system.
The most critical issues are
- CVE-2024-23653 (CVSS score 9.8), which affects the security model in BuildKit's remote procedure call protocol. It's possible to use these APIs to ask BuildKit to run a container with elevated privileges. Normally, running such containers is only allowed if special `security.insecure` entitlement is enabled both by buildkitd configuration and allowed by the user initializing the build request. The issue has been fixed in v0.12.5 . Avoid using BuildKit frontends from untrusted sources.
- CVE-2024-21626 (CVSS score 8.6), present in all versions of `runc` up to and including 1.1.11. `runc` is a command-line tool for spawning and running containers and is pivotal to Docker and other container technologies, including Kubernetes. The vulnerability stems from certain file descriptors being inadvertently leaked within `runc`, which could be exploited to escape the container and gain access to the host filesystem. This could lead to unauthorized access to sensitive data, system compromise, and further attacks from the compromised system.
The other vulnerabilities within the Docker ecosystem affect BuildKit, Docker's default container image building toolkit. These include CVE-2024-23651, which involves a race condition; CVE-2024-23652, a file deletion flaw; These vulnerabilities could lead to unauthorized access to the host file system, compromising the integrity of the build cache, and potentially leading to a full container escape scenario in combination with CVE-2024-21626
Docker has released patched versions of `runc`, BuildKit, and Moby to address these vulnerabilities. Users are strongly advised to update to these versions to mitigate the risks posed by these flaws:
- `runc` should be updated to version 1.1.12 or later.
- BuildKit should be updated to version 0.12.5 or later.
- Moby (Docker Engine) should be updated to version 25.0.2 or later for the 25.x series and version 24.0.9 or later for the 24.x series.
- Docker Desktop should be updated to version 4.27.1 or later.
To mitigate the risk of exploitation, Docker recommends using trusted Docker images, not building Docker images from untrusted sources or Dockerfiles, and enabling Hardened Docker Desktop features where applicable.
