Bug 2258725 (CVE-2024-21626, Leaky-Vessels) - CVE-2024-21626 runc: file descriptor leak
Summary: CVE-2024-21626 runc: file descriptor leak
Keywords:
Status: NEW
Alias: CVE-2024-21626, Leaky-Vessels
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2262166
Blocks: 2258742
TreeView+ depends on / blocked
 
Reported: 2024-01-17 05:00 UTC by Avinash Hanwate
Modified: 2024-07-17 18:46 UTC (History)
26 users (show)

Fixed In Version: runc 1.1.12
Doc Type: If docs needed, set a value
Doc Text:
A file descriptor leak issue was found in the runc package. While a user performs `O_CLOEXEC` all file descriptors before executing the container code, the file descriptor is open when performing `setcwd(2)`, which means that the reference can be kept alive in the container by configuring the working directory to be a path resolved through the file descriptor. The non-dumpable bit is unset after `execve`, meaning there are multiple ways to attack this other than bad configurations. The only way to defend against it entirely is to close all unneeded file descriptors.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0821 0 None None None 2024-02-14 21:32:19 UTC
Red Hat Product Errata RHBA-2024:0859 0 None None None 2024-02-19 01:15:27 UTC
Red Hat Product Errata RHBA-2024:0860 0 None None None 2024-02-19 01:58:59 UTC
Red Hat Product Errata RHSA-2023:7201 0 None None None 2024-02-27 22:28:58 UTC
Red Hat Product Errata RHSA-2024:0645 0 None None None 2024-02-08 19:22:00 UTC
Red Hat Product Errata RHSA-2024:0662 0 None None None 2024-02-08 18:47:05 UTC
Red Hat Product Errata RHSA-2024:0666 0 None None None 2024-02-08 19:48:08 UTC
Red Hat Product Errata RHSA-2024:0670 0 None None None 2024-02-02 21:01:04 UTC
Red Hat Product Errata RHSA-2024:0682 0 None None None 2024-02-08 18:42:51 UTC
Red Hat Product Errata RHSA-2024:0684 0 None None None 2024-02-08 19:21:07 UTC
Red Hat Product Errata RHSA-2024:0717 0 None None None 2024-02-07 13:29:52 UTC
Red Hat Product Errata RHSA-2024:0748 0 None None None 2024-02-08 18:20:21 UTC
Red Hat Product Errata RHSA-2024:0752 0 None None None 2024-02-08 18:30:18 UTC
Red Hat Product Errata RHSA-2024:0755 0 None None None 2024-02-08 18:32:30 UTC
Red Hat Product Errata RHSA-2024:0756 0 None None None 2024-02-08 18:19:48 UTC
Red Hat Product Errata RHSA-2024:0757 0 None None None 2024-02-08 18:33:04 UTC
Red Hat Product Errata RHSA-2024:0758 0 None None None 2024-02-08 18:34:15 UTC
Red Hat Product Errata RHSA-2024:0759 0 None None None 2024-02-08 18:34:09 UTC
Red Hat Product Errata RHSA-2024:0760 0 None None None 2024-02-08 18:32:54 UTC
Red Hat Product Errata RHSA-2024:0764 0 None None None 2024-02-08 19:49:17 UTC
Red Hat Product Errata RHSA-2024:1270 0 None None None 2024-03-12 11:58:52 UTC
Red Hat Product Errata RHSA-2024:4597 0 None None None 2024-07-17 18:46:59 UTC

Description Avinash Hanwate 2024-01-17 05:00:08 UTC
The core issue is a file descriptor leak, and while we do `O_CLOEXEC` all file descriptors before executing the container code, the file descriptor is open when doing `setcwd(2)` which means that the reference can be kept alive into the container by configuring the working directory to be a path resolved through the file descriptor (and the non-dumpable bit is unset after `execve` meaning that there are multiple ways to attack this other than bad configurations).

There is also an `execve`-based attack that makes simple verification unworkable was particularly hairy to fix (the patch involves doing `//go:linkname` to access Go runtime internals, because the only way to defend against it entirely is to close all unneeded file descriptors -- for the same reason that #!-based tricks meant that CVE-2019-5736 required drastic measures).

Comment 4 Pedro Sampaio 2024-01-31 21:31:54 UTC
Created runc tracking bugs for this issue:

Affects: fedora-all [bug 2262166]

Comment 9 errata-xmlrpc 2024-02-02 21:01:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2024:0670 https://access.redhat.com/errata/RHSA-2024:0670

Comment 11 errata-xmlrpc 2024-02-07 13:29:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2024:0717 https://access.redhat.com/errata/RHSA-2024:0717

Comment 12 errata-xmlrpc 2024-02-08 18:19:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2024:0756 https://access.redhat.com/errata/RHSA-2024:0756

Comment 13 errata-xmlrpc 2024-02-08 18:20:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0748 https://access.redhat.com/errata/RHSA-2024:0748

Comment 14 errata-xmlrpc 2024-02-08 18:30:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0752 https://access.redhat.com/errata/RHSA-2024:0752

Comment 15 errata-xmlrpc 2024-02-08 18:32:28 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2024:0755 https://access.redhat.com/errata/RHSA-2024:0755

Comment 16 errata-xmlrpc 2024-02-08 18:32:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.4 Telecommunications Update Service

Via RHSA-2024:0760 https://access.redhat.com/errata/RHSA-2024:0760

Comment 17 errata-xmlrpc 2024-02-08 18:33:02 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0757 https://access.redhat.com/errata/RHSA-2024:0757

Comment 18 errata-xmlrpc 2024-02-08 18:34:07 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0759 https://access.redhat.com/errata/RHSA-2024:0759

Comment 19 errata-xmlrpc 2024-02-08 18:34:13 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Advanced Update Support
  Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.2 Telecommunications Update Service

Via RHSA-2024:0758 https://access.redhat.com/errata/RHSA-2024:0758

Comment 20 errata-xmlrpc 2024-02-08 18:42:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2024:0682 https://access.redhat.com/errata/RHSA-2024:0682

Comment 21 errata-xmlrpc 2024-02-08 18:47:02 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2024:0662 https://access.redhat.com/errata/RHSA-2024:0662

Comment 22 errata-xmlrpc 2024-02-08 19:21:04 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2024:0684 https://access.redhat.com/errata/RHSA-2024:0684

Comment 23 errata-xmlrpc 2024-02-08 19:21:57 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.14

Via RHSA-2024:0645 https://access.redhat.com/errata/RHSA-2024:0645

Comment 24 errata-xmlrpc 2024-02-08 19:48:06 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2024:0666 https://access.redhat.com/errata/RHSA-2024:0666

Comment 25 errata-xmlrpc 2024-02-08 19:49:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0764 https://access.redhat.com/errata/RHSA-2024:0764

Comment 27 errata-xmlrpc 2024-02-27 22:28:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.15

Via RHSA-2023:7201 https://access.redhat.com/errata/RHSA-2023:7201

Comment 31 errata-xmlrpc 2024-03-12 11:58:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2024:1270 https://access.redhat.com/errata/RHSA-2024:1270

Comment 36 Gandhimathy 2024-04-17 12:19:58 UTC
Hi All,
Seeing this vulnerability reported against the package "github.com/opencontainers/runc" which is bundled with either RedHat 8.9 minimial or OSE.

Looking for a fix at the earliest as it is blocking our monthly release.

Thanks & Regards,
Gandhi.

IBM MQ Container - Security Lead.

Comment 39 errata-xmlrpc 2024-07-17 18:46:56 UTC
This issue has been addressed in the following products:

  OCP-Tools-4.15-RHEL-8

Via RHSA-2024:4597 https://access.redhat.com/errata/RHSA-2024:4597


Note You need to log in before you can comment on or make changes to this bug.