CVE-2023-25809: Vulnerability in runc allows unintended write access to user-owned cgroup hierarchy

A recently discovered vulnerability (CVE-2023-25809) in runc, a popular CLI tool for spawning and running containers following the OCI (Open Container Initiative) specification, may allow a container to gain unintended write access to the user-owned cgroup hierarchy on the host. This vulnerability affects runc versions prior to 1.1.5, and it was found under specific conditions related to the handling of the /sys/fs/cgroup path.

Affected Versions

Runc versions prior to 1.1.5 are affected by this vulnerability.

Vulnerability Details

This vulnerability affects rootless runc and allows write access to the /sys/fs/cgroup path of user-owned cgroup hierarchy on the host in the following two conditions:

1. When runc is executed inside the user namespace while the config.json does not specify the cgroup namespace to be unshared (e.g., (docker|podman|nerdctl) run --cgroupns=host, with Rootless Docker/Podman/nerdctl)

2. When runc is executed outside the user namespace, and /sys is mounted with rbind, ro (e.g., runc spec --rootless; this condition is quite rare)

Please note that this vulnerability does not affect other users' cgroup hierarchies.

Possible Exploits

An unauthorized user who gets access to the container running in the vulnerable environment could modify or manipulate the user-owned cgroup hierarchy, creating potential security issues and allowing for further exploitation of the host system.

Mitigation

Users are strongly advised to upgrade their runc version to 1.1.5, which contains necessary fixes to address this vulnerability.

For users who are unable to upgrade, consider using one of the following methods as a temporary workaround:

1. Unshare the cgroup namespace by running the following command: (docker|podman|nerdctl) run --cgroupns=private. Please note that this is the default behavior of Docker/Podman/nerdctl on cgroup v2 hosts.

2. Add /sys/fs/cgroup to the maskedPaths in the config.json file.

Original References

1. Runc GitHub Repository: https://github.com/opencontainers/runc
2. Runc Release 1.1.5: https://github.com/opencontainers/runc/releases/tag/v1.1.5
3. Open Container Initiative: https://www.opencontainers.org/

Before mitigation (config.json)

{
  "ociVersion": "1..2",
  "linux": {
    "maskedPaths": [
      "/proc/kcore"
    ]
  }
}

After mitigation (config.json)

{
  "ociVersion": "1..2",
  "linux": {
    "maskedPaths": [
      "/proc/kcore",
      "/sys/fs/cgroup"
    ]
  }
}

Conclusion

The vulnerability CVE-2023-25809 in rootless runc, when handled appropriately, gets mitigated effectively. It's important to upgrade runc to the latest version (1.1.5) or apply the suggested workarounds to prevent attackers from exploiting this vulnerability and causing potential security issues. Always ensure that your container runtime environments and dependencies are up-to-date and follow best security practices to maintain a secure infrastructure.

Timeline

Published on: 03/29/2023 19:15:00 UTC
Last modified on: 04/06/2023 17:41:00 UTC