CVE-2021-43784
Bypass vulnerability in runc (Go)
What is CVE-2021-43784 About?
This vulnerability allows an attacker with partial control over the bind mount sources of a new container to bypass namespace restrictions. It effectively enables escape from container isolation. Exploitation requires specific control over container creation parameters.
Affected Software
- github.com/opencontainers/runc
- <1.0.3
- >1.0.1-0.20211012131345-9c444070ec7b, <1.1.0
Technical Details
The vulnerability in question permits an attacker to bypass container namespace restrictions when they have partial control over the bind mount sources of a new container. Container mechanisms rely heavily on namespaces (PID, mount, network, etc.) to isolate processes from the host and other containers. If an attacker can manipulate the source path of a bind mount for a new container, they might be able to trick the container runtime into mounting a sensitive host path, or a path from a less restricted namespace, into the new container. This can be achieved even if the target container attempts to enforce strict isolation, effectively breaking out of the intended confinement and gaining access to resources that should be isolated. The 'partial control' aspect implies that the attacker may not have full arbitrary control but enough to subvert the intended mounting behavior.
What is the Impact of CVE-2021-43784?
Successful exploitation may allow attackers to bypass container isolation, gain unauthorized access to the host system, or other containers, leading to significant privilege escalation.
What is the Exploitability of CVE-2021-43784?
Exploitation requires an attacker to have partial control over the bind mount sources when a new container is created. The complexity is high, as it demands a deep understanding of container runtime configurations and namespace mechanisms. Authentication might be required if the container creation process is protected, but the attack itself leverages a misconfiguration or flaw in the underlying container runtime. Privilege requirements would likely be elevated, as the attacker needs to interact with container provisioning. This is primarily a local vulnerability, or potentially remote if there's a remote API for container creation that can be influenced. Special conditions include specific configurations of container runtimes that allow for the manipulation of mount parameters. Risk factors include granting untrusted users or processes the ability to create or configure containers, even with seemingly limited options.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2021-43784?
Available Upgrade Options
- github.com/opencontainers/runc
- <1.0.3 → Upgrade to 1.0.3
- github.com/opencontainers/runc
- >1.0.1-0.20211012131345-9c444070ec7b, <1.1.0 → Upgrade to 1.1.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/opencontainers/runc/commit/f50369af4b571e358f20b139eea52d612eb55eed
- https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554
- https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
- https://github.com/opencontainers/runc
- https://github.com/opencontainers/runc/commit/9c444070ec7bb83995dbc0185da68284da71c554
- https://pkg.go.dev/vuln/GO-2022-0274
- https://github.com/opencontainers/runc/security/advisories/GHSA-v95c-p5hm-xq8f
- https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
- https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html
- https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae
What are Similar Vulnerabilities to CVE-2021-43784?
Similar Vulnerabilities: CVE-2022-0492 , CVE-2021-4034 , CVE-2021-2292 , CVE-2021-27964 , CVE-2020-14386
