As promised in the last post, we have a new Linux-related blogpost. Kinda.
What is runc?
runc is a command line tool which allows you to spawn and interact with containers. This tool was created by and in accordance with OCI(Open Container Initiative) specifications. runc isn't intended to be used by end-users, as it is a low level component. Instead, it is what sits underneath container software such as Docker and as stated in runc's git repository:
...unless there is some specific use case that prevents the use of tools like Docker or Podman, it is not recommended to use runc directly.
As such, the usage of runc directly isn't a responsibility of the end-user, nor is it to keep it up-to-date and compatible with high-level software.
The vulnerability itself (CVE-2024-21626)
This vulnerability is present in runc versions higher than/equal to v1.0.0-rc93 and it is caused by a file descriptor leak. To explain what a file descriptor is, we must first understand that in UNIX/Unix-like operating systems, everything is a file. So to every file, if there is a process related to it, they will be linked through a file descriptor. Basically, a file descriptor is an ID that the OS uses to recognize the file when it is opened. The ways this leak can be exploited are found in this security advisory from runc's git repository.
What could be the outcome of exploiting this vulnerability?
By exploiting this vulnerability through the methods mentioned above, an attacker can do a container breakout, which means the attacker can successfully access the host filesystem, effectively exiting the containerized space. Hence why this is a big vulnerability.
The good news
Fortunately, this vulnerability was patched in runc version 1.1.12. This leaves the providers of high-level software, such as Docker, to release updates that implement the new runc patch.
As it stands, Docker released an update to docker-ce(25.02) which has the patched runc version. This update is available for common distributions such as Ubuntu 20.04 LTS and earlier, Debian 11 and earlier, Fedora 38 and earlier, etc. so this leaves a huge vulnerability in the hands of attackers for those who have servers running EOL distributions.
Make sure to stay up-to-date with the latest version of Docker, or runc if you are using containerized environments through other means.