Container breakout using runc file descriptors

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1611-escape-to-host

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect exploitation of CVE-2024-21626 which abuses leaky file descriptors in runc.

Strategy

This exploit is accomplished by building or running a container image where the working directory is set to /proc/self/fd/<int>. In Docker this is specified using the WORKDIR field. In Kubernetes the field is workingDir. Successful exploitation results in read and write access to the host filesystem and potentially a complete container escape.

Triage and response

  1. Isolate the host to prevent further compromise.
  2. Use tags to determine the affected container and image.
  3. Use Docker or Kubernetes audit logs to determine how the exploit occurred. An adversary could have built or run a malicious container image in several ways, such as abusing external access to the Docker API or manipulating a base image.
  4. Review related signals to determine the impact of the compromise and develop a timeline.
  5. Redeploy the host with a runc version of 1.1.12 or later.

Requires Agent version 7.55 or later.

PREVIEWING: drodriguezhdez/add_public_docs_log_summarization