Container breakout using runc file descriptors
Goal
Detect exploitation of CVE-2024-21626 which abuses leaky file descriptors in runc.
Strategy
This exploit is accomplished by building or running a container image where the working directory is set to /proc/self/fd/<int>
. In Docker this is specified using the WORKDIR
field. In Kubernetes the field is workingDir
. Successful exploitation results in read and write access to the host filesystem and potentially a complete container escape.
Triage and response
- Isolate the host to prevent further compromise.
- Use tags to determine the affected container and image.
- Use Docker or Kubernetes audit logs to determine how the exploit occurred. An adversary could have built or run a malicious container image in several ways, such as abusing external access to the Docker API or manipulating a base image.
- Review related signals to determine the impact of the compromise and develop a timeline.
- Redeploy the host with a
runc
version of 1.1.12 or later.
Requires Agent version 7.55 or later.