github-actions[bot]
commented
3 months ago 🦙 MegaLinter status: ❌ ERROR
| Descriptor | Linter | Files | Fixed | Errors | Elapsed time |
|---|---|---|---|---|---|
| ❌ ACTION | actionlint | 11 | 10 | 0.08s | |
| ❌ API | spectral | 2 | 1 | 10.92s | |
| ⚠️ BASH | bash-exec | 107 | 65 | 0.45s | |
| ❌ BASH | shellcheck | 107 | 814 | 5.95s | |
| ✅ BASH | shfmt | 107 | 96 | 0 | 0.98s |
| ❌ COPYPASTE | jscpd | yes | 4159 | 358.16s | |
| ❌ CSS | stylelint | 2 | 1 | 1 | 2.77s |
| ❌ DOCKERFILE | hadolint | 26 | 1 | 0.58s | |
| ❌ HTML | djlint | 2 | 10 | 0.7s | |
| ❌ HTML | htmlhint | 2 | 2 | 0.23s | |
| ✅ JSON | jsonlint | 6 | 0 | 0.17s | |
| ✅ JSON | prettier | 6 | 4 | 0 | 1.92s |
| ✅ JSON | v8r | 6 | 0 | 3.47s | |
| ⚠️ MARKDOWN | markdownlint | 638 | 446 | 3549 | 30.93s |
| ❌ MARKDOWN | markdown-link-check | 638 | 267 | 460.59s | |
| ✅ MARKDOWN | markdown-table-formatter | 638 | 480 | 0 | 3.19s |
| ❌ OPENAPI | spectral | 2 | 1 | 7.26s | |
| ✅ PROTOBUF | protolint | 10 | 10 | 0 | 12.03s |
| ❌ REPOSITORY | checkov | yes | 58 | 129.31s | |
| ❌ REPOSITORY | gitleaks | yes | 26 | 43.05s | |
| ❌ REPOSITORY | git_diff | yes | 1 | 1.03s | |
| ❌ REPOSITORY | grype | yes | 1 | 51.79s | |
| ❌ REPOSITORY | secretlint | yes | 1 | 415.08s | |
| ❌ REPOSITORY | trivy | yes | 1 | 16.0s | |
| ✅ REPOSITORY | trivy-sbom | yes | no | 1.58s | |
| ✅ REPOSITORY | trufflehog | yes | no | 18.9s | |
| ❌ SPELL | cspell | 8368 | 266290 | 7375.64s | |
| ❌ SPELL | lychee | 818 | 2243 | 57.2s | |
| ✅ XML | xmllint | 1 | 0 | 0 | 0.85s |
| ✅ YAML | prettier | 138 | 91 | 0 | 8.39s |
| ❌ YAML | v8r | 138 | 1 | 338.19s | |
| ❌ YAML | yamllint | 138 | 1 | 5.86s |
See detailed report in MegaLinter reports
_MegaLinter is graciously provided by 
_
This PR contains the following updates:
v1.1.9->v1.1.12GitHub Vulnerability Alerts
CVE-2024-21626
Impact
In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from
runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem throughrunc run("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b").Strictly speaking, while attack 3a is the most severe from a CVSS perspective, attacks 2 and 3b are arguably more dangerous in practice because they allow for a breakout from inside a container as opposed to requiring a user execute a malicious image. The reason attacks 1 and 3a are scored higher is because being able to socially engineer users is treated as a given for UI:R vectors, despite attacks 2 and 3b requiring far more minimal user interaction (just reasonable
runc execoperations on a container the attacker has access to). In any case, all four attacks can lead to full control of the host system.Attack 1:
process.cwd"mis-configuration"In runc 1.1.11 and earlier, several file descriptors were inadvertently leaked internally within runc into
runc init, including a handle to the host's/sys/fs/cgroup(this leak was added in v1.0.0-rc93). If the container was configured to haveprocess.cwdset to/proc/self/fd/7/(the actual fd can change depending on file opening order inrunc), the resulting pid1 process will have a working directory in the host mount namespace and thus the spawned process can access the entire host filesystem. This alone is not an exploit against runc, however a malicious image could make any innocuous-looking non-/path a symlink to/proc/self/fd/7/and thus trick a user into starting a container whose binary has access to the host filesystem.Furthermore, prior to runc 1.1.12, runc also did not verify that the final working directory was inside the container's mount namespace after calling
chdir(2)(as we have already joined the container namespace, it was incorrectly assumed there would be no way to chdir outside the container afterpivot_root(2)).The CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N (8.2, high severity).
Note that this attack requires a privileged user to be tricked into running a malicious container image. It should be noted that when using higher-level runtimes (such as Docker or Kubernetes), this exploit can be considered critical as it can be done remotely by anyone with the rights to start a container image (and can be exploited from within Dockerfiles using
ONBUILDin the case of Docker).Attack 2:
runc execcontainer breakout(This is a modification of attack 1, constructed to allow for a process inside a container to break out.)
The same fd leak and lack of verification of the working directory in attack 1 also apply to
runc exec. If a malicious process inside the container knows that some administrative process will callrunc execwith the--cwdargument and a given path, in most cases they can replace that path with a symlink to/proc/self/fd/7/. Once the container process has executed the container binary,PR_SET_DUMPABLEprotections no longer apply and the attacker can open/proc/$exec_pid/cwdto get access to the host filesystem.runc execdefaults to a cwd of/(which cannot be replaced with a symlink), so this attack depends on the attacker getting a user (or some administrative process) to use--cwdand figuring out what path the target working directory is. Note that if the target working directory is a parent of the program binary being executed, the attacker might be unable to replace the path with a symlink (theexecvewill fail in most cases, unless the host filesystem layout specifically matches the container layout in specific ways and the attacker knows which binary therunc execis executing).The CVSS score for this attack is CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N (7.2, high severity).
Attacks 3a and 3b:
process.argshost binary overwrite attack(These are modifications of attacks 1 and 2, constructed to overwrite a host binary by using
execveto bring a magic-link reference into the container.)Attacks 1 and 2 can be adapted to overwrite a host binary by using a path like
/proc/self/fd/7/../../../bin/bashas theprocess.argsbinary argument, causing a host binary to be executed by a container process. The/proc/$pid/exehandle can then be used to overwrite the host binary, as seen in CVE-2019-5736 (note that the same#!trick can be used to avoid detection as an attacker). As the overwritten binary could be something like/bin/bash, as soon as a privileged user executes the target binary on the host, the attacker can pivot to gain full access to the host.For the purposes of CVSS scoring:
/proc/self/fd/7/../../../bin/bashand run a shell script that overwrites/proc/self/exe, overwriting the host copy of/bin/bash. The CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H (8.6, high severity).runc exectarget binaries inside the container (such as/bin/bash) such that a host target binary is executed and then the container process opens/proc/$pid/exeto get access to the host binary and overwrite it. The CVSS score for this attack is CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H (8.2, high severity).As mentioned in attack 1, while 3b is scored lower it is more dangerous in practice as it doesn't require a user to run a malicious image.
Patches
runc 1.1.12 has been released, and includes patches for this issue. Note that there are four separate fixes applied:
os.GetwdreturnsENOENT(Linux provides a way of detecting if cwd is outside the current namespace root). This explicitly blocks runc from executing a container process when inside a non-container path and thus eliminates attacks 1 and 2 even in the case of fd leaks.runc init, right beforeexecve. This ensures that internal file descriptors cannot be used as an argument toexecveand thus eliminates attacks 3a and 3b, even in the case of fd leaks. This requires hooking into some Go runtime internals to make sure we don't close critical Go internal file descriptors./sys/fs/cgroupasO_CLOEXECand backport a fix for some*os.Fileleaks).runc initfile descriptor leaks, mark all non-stdio files asO_CLOEXECbefore executingrunc init.Other Runtimes
We have discovered that several other container runtimes are either potentially vulnerable to similar attacks, or do not have sufficient protection against attacks of this nature. We recommend other container runtime authors look at our patches and make sure they at least add a
getcwd() != ENOENTcheck as well as consider whetherclose_range(3, UINT_MAX, CLOSE_RANGE_CLOEXEC)before executing their equivalent ofrunc initis appropriate.runc init-equivalent process (so this attack is not exploitable as far as we can tell), but no care is taken to make sure all non-stdio files areO_CLOEXECand there is no check afterchdir(2)to ensure the working directory is inside the container. If a file descriptor happened to be leaked in the future, this could be exploitable. In addition, any file descriptors passed tocrunare not closed until the container process is executed, meaning that easily-overlooked programming errors by users ofcruncan lead to these attacks becoming exploitable.runc init-equivalent process (so this attack is not exploitable as far as we can tell) however this appears to be pure luck.youkidoes leak a directory file descriptor from the host mount namespace, but it just so happens that the directory is the rootfs of the container (which then getspivot_root'd into and so ends up as a in-root path thanks tochroot_fs_refs). In addition, no care is taken to make sure all non-stdio files areO_CLOEXECand there is no check afterchdir(2)to ensure the working directory is inside the container. If a file descriptor happened to be leaked in the future, this could be exploitable. In addition, any file descriptors passed toyoukiare not closed until the container process is executed, meaning that easily-overlooked programming errors by users ofyoukican lead to these attacks becoming exploitable.lxc-attach. However, they don't seem to have any proactive protection against file descriptor leaks at the point ofchdirsuch as usingclose_range(...)(they do have RAII-like__do_fcloseclosers but those don't necessarily stop all leaks in this context) nor do they have any check afterchdir(2)to ensure the working directory is inside the container. Unfortunately it seems they cannot useCLOSE_RANGE_CLOEXECbecause they don't need to re-exec themselves.Workarounds
For attacks 1 and 2, only permit containers (and
runc exec) to use aprocess.cwdof/. It is not possible for/to be replaced with a symlink (the path is resolved from within the container's mount namespace, and you cannot change the root of a mount namespace or an fs root to a symlink).For attacks 1 and 3a, only permit users to run trusted images.
For attack 3b, there is no practical workaround other than never using
runc execbecause any binary you try to execute withrunc execcould end up being a malicious binary target.See Also
Credits
Thanks to Rory McNamara from Snyk for discovering and disclosing the original vulnerability (attack 1) to Docker, @lifubang from acmcoder for discovering how to adapt the attack to overwrite host binaries (attack 3a), and Aleksa Sarai from SUSE for discovering how to adapt the attacks to work as container breakouts using
runc exec(attacks 2 and 3b).Release Notes
opencontainers/runc (github.com/opencontainers/runc)
### [`v1.1.12`](https://togithub.com/opencontainers/runc/releases/tag/v1.1.12): runc 1.1.12 -- "Now you're thinking with Portals™!" [Compare Source](https://togithub.com/opencontainers/runc/compare/v1.1.11...v1.1.12) This is the twelfth patch release in the 1.1.z release branch of runc. It fixes a high-severity container breakout vulnerability involving leaked file descriptors, and users are strongly encouraged to update as soon as possible. - Fix [CVE-2024-21626][cve-2024-21626], a container breakout attack that took advantage of a file descriptor that was leaked internally within runc (but never leaked to the container process). In addition to fixing the leak, several strict hardening measures were added to ensure that future internal leaks could not be used to break out in this manner again. Based on our research, while no other container runtime had a similar leak, none had any of the hardening steps we've introduced (and some runtimes would not check for any file descriptors that a calling process may have leaked to them, allowing for container breakouts due to basic user error). ##### Static Linking Notices The `runc` binary distributed with this release are *statically linked* with the following [GNU LGPL-2.1][lgpl-2.1] licensed libraries, with `runc` acting as a "work that uses the Library": [lgpl-2.1]: https://www.gnu.org/licenses/old-licenses/lgpl-2.1.en.html - [libseccomp](https://togithub.com/seccomp/libseccomp) The versions of these libraries were not modified from their upstream versions, but in order to comply with the LGPL-2.1 (§6(a)), we have attached the complete source code for those libraries which (when combined with the attached runc source code) may be used to exercise your rights under the LGPL-2.1. However we strongly suggest that you make use of your distribution's packages or download them from the authoritative upstream sources, especially since these libraries are related to the security of your containers.Thanks to all of the contributors who made this release possible: - Aleksa Sarai
Thanks to all of the contributors who made this release possible: - Aleksa Sarai
Thanks to all of the contributors who made this release possible: - Akihiro Suda
Configuration
📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Never, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about these updates again.
This PR has been generated by Mend Renovate. View repository job log here.