CVE Radar Logo
CVERadar
CVE Radar Logo
CVERadar

CVE-2024-21626

Critical Severity
Linuxfoundation
SVRS
85/100
CVSSv3
8.6/10
EPSS
0.04773/1

CVE-2024-21626 is a critical vulnerability in runc, a CLI tool for running containers on Linux. This container escape flaw allows attackers to gain access to the host filesystem from within a container. The SOCRadar Vulnerability Risk Score (SVRS) is 85, indicating immediate action is required due to its severity. The vulnerability stems from an internal file descriptor leak, potentially allowing attackers to overwrite host binaries and achieve complete system compromise. This flaw impacts versions 1.1.11 and earlier; upgrading to runc 1.1.12 or later is strongly advised. Given the availability of active exploits, the risk of exploitation is high. Successful exploitation could lead to significant data breaches and system compromise, making it a priority to patch.

TAGS
In The Wild
Exploit Avaliable
X_refsource_CONFIRM
X_refsource_MISC
VECTOR STRING
CVSS:3.1
AV:L
AC:L
PR:N
UI:R
S:C
C:H
I:H
A:H
PUBLICATION DATE2024-01-31
LAST MODIFIED2025-02-13
Eye Icon
SOCRadar
AI Insight

Description:

CVE-2024-21626 is a critical vulnerability in runc, a CLI tool for spawning and running containers on Linux. This vulnerability allows an attacker to cause a newly-spawned container process to have a working directory in the host filesystem namespace, enabling a container escape and access to the host filesystem. The SVRS score of 34 indicates a moderate risk, but the CVSS score of 8.6 suggests that immediate action is necessary to address this vulnerability.

Key Insights:

  1. Container Escape: This vulnerability allows an attacker to escape the container and gain access to the host filesystem, potentially leading to privilege escalation and compromise of the entire system.

  2. Multiple Attack Vectors: The vulnerability can be exploited through various attack vectors, including malicious images, runc exec, and runc run, making it a versatile target for attackers.

  3. Host Binary Overwrite: Variants of the attack can be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes and further exploitation of the host system.

  4. Active Exploitation: There are active exploits published for this vulnerability, indicating that it is actively being targeted by attackers.

Mitigation Strategies:

  1. Update runc: The most effective mitigation strategy is to update runc to version 1.1.12 or later, which includes patches for this vulnerability.

  2. Restrict Container Privileges: Implement strict container security policies to limit the privileges and capabilities granted to containers, reducing the potential impact of a successful container escape.

  3. Monitor and Detect Suspicious Activity: Implement robust monitoring and detection mechanisms to identify and respond to suspicious activities within containers and the host system.

  4. Educate and Train Staff: Provide security awareness training to staff to educate them about the risks associated with container vulnerabilities and the importance of following best practices for container security.

Additional Information:

  • If users have additional queries regarding this incident, they can use the 'Ask to Analyst' feature, contact SOCRadar directly, or open a support ticket for more information if necessary.

Indicators of Compromise

No IOCs found for this CVE

Exploits

TitleSoftware LinkDate
V0WKeep3r/CVE-2024-21626-runcPOChttps://github.com/V0WKeep3r/CVE-2024-21626-runcPOC2024-02-05
cdxiaodong/CVE-2024-21626https://github.com/cdxiaodong/CVE-2024-216262024-02-02
KubernetesBachelor/CVE-2024-21626https://github.com/KubernetesBachelor/CVE-2024-216262024-04-03
Wall1e/CVE-2024-21626-POChttps://github.com/Wall1e/CVE-2024-21626-POC2024-02-01
jiayy/android_vuln_poc-exphttps://github.com/jiayy/android_vuln_poc-exp2016-09-07
nomi-sec/PoC-in-GitHubhttps://github.com/nomi-sec/PoC-in-GitHub2019-12-08
zpxlz/CVE-2024-21626-POChttps://github.com/zpxlz/CVE-2024-21626-POC2024-02-01
Enhance Your CVE Management with SOCRadar Vulnerability Intelligence
Get comprehensive CVE details, real-time notifications, and proactive threat management all in one platform.
CREATE FREE ACCOUNT
CVE Details
Access comprehensive CVE information instantly
Real-time Tracking
Subscribe to CVEs and get instant updates
Exploit Analysis
Monitor related APT groups and threats
IOC Tracking
Analyze and track CVE-related IOCs

News

Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations
Shannon O'Dowd2024-12-02
Tenable Cloud Risk Report Sounds the Alarm on Toxic Cloud Exposures Threatening Global Organizations | Tenable®, the exposure management company, today released its 2024 Tenable Cloud Risk Report, which examines the critical risks at play in modern cloud environments. Most alarmingly, nearly four in 10 organizations globally are leaving themselves exposed at the highest levels due to the “toxic cloud trilogy” of publicly exposed, critically vulnerable and highly privileged cloud workloads. Each of these misalignments alone introduces risk to
tenable.com
rss
forum
news
Improvements to our SIEM for Q3 2024 | Kaspersky official blog
Alexander Marmalidi2024-11-02
Improvements to our SIEM for Q3 2024 | Kaspersky official blog | Rules for detecting atypical behavior in container infrastructure at the data collection stage, and other updates to our SIEM system.Clearly, the sooner malicious actions come to the attention of security solutions and experts, the more effectively they’re able to minimize, or even prevent damage. Therefore, while working on new detection rules for our SIEM system named the Kaspersky Unified Monitoring and Analysis Platform, we pay special attention to identifying attackers’ activity
kaspersky.com
rss
forum
news
The most dangerous CVEs of 2023 and 2024: fix these today
Stan Kaminsky2024-05-29
The most dangerous CVEs of 2023 and 2024: fix these today | The most commonly hacked applications and services in 2023 and Q1 2024The number of software vulnerabilities discovered annually continues to grow, with total vulnerabilities discovered in a year fast approaching the 30,000 mark. But it’s important for cybersecurity teams to identify precisely which vulnerabilities attackers are actually exploiting. Changes in the list of criminals’ favorite vulnerabilities greatly influence which updates or countermeasures should be prioritized. That
cve-2023-38831
cve-2024-27198
cve-2024-21626
cve-2024-3094
Long Term Support Channel Update for ChromeOS
Giuliana Pritchard ([email protected])2024-05-13
Long Term Support Channel Update for ChromeOS | LTS-120 is being updated in the LTS (Long Term Support) channel, version 120.0.6099.310 (Platform Version: 15662.107.0), for most ChromeOS devices. 
cve-2024-0409
cve-2024-4331
cve-2024-4671
cve-2024-21626
Exploits and vulnerabilities in Q1 2024
Alexander Kolesnikov, Vitaly Morgunov2024-05-07
Exploits and vulnerabilities in Q1 2024 | The report provides vulnerability and exploit statistics, key trends, and analysis of interesting vulnerabilities discovered in Q1 2024.We at Kaspersky continuously monitor the evolving cyberthreat landscape to ensure we respond promptly to emerging threats, equipping our products with detection logic and technology. Software vulnerabilities that threat actors can exploit or are already actively exploiting are a critical component of that
cve-2024-21626
cve-2023-40477
cve-2024-1708
cve-2024-20656
TLP WHITE Threat Intelligence Report – March 4, 2024
Krypt3ia2024-03-04
TLP WHITE Threat Intelligence Report – March 4, 2024 | This report was created in tandem between Scot Terban and the ICEBREAKER INTEL ANALYST created and trained by Scot Terban. CAVEAT: Please take these reports and use them as a source to create your own CTI reporting in your format and in your manner of briefing your executives. The report below is the more technical [&#8230;] <img alt="" class="wp-image-17849" height="392
cve-2024-21626
cve-2023-34048
cve-2024-21380
cve-2023-6548

Social Media

CVE-2024-21626 resides in runc, a critical tool responsible for spawning containers. Due to an internal file descriptor leak in versions up to and including 1.1.11, attackers can manipulate the working directory (process.cwd) of a newly spawned container process. Like an unlocke
0
0
1

Affected Software

Configuration 1
TypeVendorProduct
AppLinuxfoundationrunc
Configuration 2
TypeVendorProduct
OSFedoraprojectfedora

References

ReferenceLink
[email protected]https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
[email protected]https://github.com/opencontainers/runc/releases/tag/v1.1.12
[email protected]https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
[email protected]http://www.openwall.com/lists/oss-security/2024/02/01/1
[email protected]https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
[email protected]https://github.com/opencontainers/runc/releases/tag/v1.1.12
[email protected]https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
[email protected]http://www.openwall.com/lists/oss-security/2024/02/01/1
[email protected]http://www.openwall.com/lists/oss-security/2024/02/02/3
[email protected]https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
[email protected]https://github.com/opencontainers/runc/releases/tag/v1.1.12
[email protected]https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
[email protected]http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html
[email protected]http://www.openwall.com/lists/oss-security/2024/02/01/1
[email protected]http://www.openwall.com/lists/oss-security/2024/02/02/3
[email protected]https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
[email protected]https://github.com/opencontainers/runc/releases/tag/v1.1.12
[email protected]https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/
GITHUBhttp://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html
[email protected]http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html
[email protected]http://www.openwall.com/lists/oss-security/2024/02/01/1
[email protected]http://www.openwall.com/lists/oss-security/2024/02/02/3
[email protected]https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
[email protected]https://github.com/opencontainers/runc/releases/tag/v1.1.12
[email protected]https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/
[email protected]http://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html
[email protected]http://www.openwall.com/lists/oss-security/2024/02/01/1
[email protected]http://www.openwall.com/lists/oss-security/2024/02/02/3
[email protected]https://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
[email protected]https://github.com/opencontainers/runc/releases/tag/v1.1.12
[email protected]https://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
[email protected]https://lists.debian.org/debian-lts-announce/2024/02/msg00005.html
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/2NLXNE23Q5ESQUAI22Z7A63JX2WMPJ2J/
[email protected]https://lists.fedoraproject.org/archives/list/[email protected]/message/SYMO3BANINS6RGFQFKPRG4FIOJ7GWYTL/
HTTPS://GITHUB.COM/OPENCONTAINERS/RUNC/COMMIT/02120488A4C0FC487D1ED2867E901EEED7CE8ECFhttps://github.com/opencontainers/runc/commit/02120488a4c0fc487d1ed2867e901eeed7ce8ecf
HTTPS://GITHUB.COM/OPENCONTAINERS/RUNC/RELEASES/TAG/V1.1.12https://github.com/opencontainers/runc/releases/tag/v1.1.12
HTTPS://GITHUB.COM/OPENCONTAINERS/RUNC/SECURITY/ADVISORIES/GHSA-XR7R-F8XQ-VFVVhttps://github.com/opencontainers/runc/security/advisories/GHSA-xr7r-f8xq-vfvv
GITHUBhttp://packetstormsecurity.com/files/176993/runc-1.1.11-File-Descriptor-Leak-Privilege-Escalation.html

CWE Details

CWE IDCWE NameDescription
CWE-668Exposure of Resource to Wrong SphereThe product exposes a resource to the wrong control sphere, providing unintended actors with inappropriate access to the resource.
CWE-403Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')A process does not close sensitive file descriptors before invoking a child process, which allows the child to perform unauthorized I/O operations using those descriptors.

CVE Radar

Real-time CVE Intelligence & Vulnerability Management Platform

CVE Radar provides comprehensive vulnerability intelligence by monitoring CVE databases, security advisories, and threat feeds. Get instant updates on new vulnerabilities, exploit details, and mitigation strategies specific to your assets.

Get Free Vulnerability Intelligence AccessAccess real-time CVE monitoring, exploit analysis, and threat intelligence