CVE-2023-25809
Privilege Escalation vulnerability in runc (Go)
What is CVE-2023-25809 About?
This vulnerability in rootless runc allows containers to gain write access to user-owned cgroup hierarchies on the host system under specific conditions. It is a privilege escalation issue that can provide write access to `/sys/fs/cgroup`. Exploitation requires specific configurations of runc and user namespaces.
Affected Software
Technical Details
The vulnerability in rootless runc stems from incorrect permissions granted to /sys/fs/cgroup under two specific conditions. First, when runc is executed inside a user namespace and the config.json does not unshare the cgroup namespace (e.g., docker run --cgroupns=host in a rootless setup), runc makes /sys/fs/cgroup writable. Second, in a rare scenario where runc is executed outside a user namespace with /sys mounted rbind, ro (e.g., runc spec --rootless), the same writable access may occur. In both cases, a container can gain write access to its user-owned cgroup hierarchy (/sys/fs/cgroup/user.slice/...) on the host system, allowing it to modify cgroup settings.
What is the Impact of CVE-2023-25809?
Successful exploitation may allow attackers to modify cgroup settings belonging to other users, potentially leading to resource exhaustion, denial of service for other processes, or further privilege escalation within the host system.
What is the Exploitability of CVE-2023-25809?
Exploitation generally requires an attacker to control a container started under one of the specific vulnerable runc configurations. The prerequisites are very specific: either a rootless container is run without cgroup namespace unsharing (--cgroupns=host), or in a very rare scenario, runc is executed outside a user namespace with a specific /sys mount. The complexity is moderate, as it relies on specific environmental conditions and container configuration. Authenticated access to the container runtime (e.g., Docker, Podman) to launch containers with the problematic configuration is implicitly required. This is a local privilege escalation from within a container to the host's cgroup filesystem. The risk increases if default container configurations on a host match the vulnerable conditions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-25809?
Available Upgrade Options
- github.com/opencontainers/runc
- <1.1.5 → Upgrade to 1.1.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
- https://nvd.nist.gov/vuln/detail/CVE-2023-25809
- https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
- https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
- https://github.com/opencontainers/runc
- https://osv.dev/vulnerability/GO-2023-1682
- https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
- https://github.com/opencontainers/runc/security/advisories/GHSA-m8cg-xc2p-r3fc
- https://github.com/opencontainers/runc/commit/0d62b950e60f6980b54fe3bafd9a9c608dc1df17
What are Similar Vulnerabilities to CVE-2023-25809?
Similar Vulnerabilities: CVE-2022-0492 , CVE-2022-26960 , CVE-2022-24765 , CVE-2021-30465 , CVE-2021-4197
