RunC Container Escape: What Docker and Kubernetes Users Need to Know
6 days ago
- #runC
- #container-security
- #vulnerability
- Three high severity vulnerabilities were disclosed in runC, affecting Docker, containerd, Kubernetes, and other container platforms.
- runC is responsible for container isolation, making vulnerabilities in it a serious security concern.
- The vulnerabilities include issues with maskedPath, /dev/console bind-mount race, and /proc write gadgets, which can lead to container escape.
- Exploiting these vulnerabilities requires the ability to start containers with custom mount/runtime configs or supply malicious Dockerfiles.
- Affected versions include all versions up to the fixed versions: 1.2.8, 1.3.3, 1.4.0-rc.3, and later.
- Using user namespaces can help mitigate some risks by mapping container root to an unprivileged user on the host system.
- Minimus images are recommended for staying ahead of container-runtime vulnerabilities.