Researchers at developer security company Snyk have discovered several potentially serious vulnerabilities that could be exploited by malicious actors to escape containers.
The flaws are collectively called Leaky Vessels and they are tracked as CVE-2024-21626, CVE-2024-23651, CVE-2024-23653 and CVE-2024-23652.
The security holes were discovered late last year in Docker’s Runc, a tool designed for spawning and running containers on Linux, and BuildKit, a system for building images, both of which are open source.
While Snyk has found no evidence of exploitation in the wild, the company warned that an attacker could leverage the Leaky Vessels flaws to escape a container and gain access to the underlying host operating system. From there, they could access data stored on the system, which can include customer information and credentials, and conduct further attacks.
“These vulnerabilities can only be exploited if a user actively engages with malicious content by incorporating it into the build process or running a container from a suspect image (particularly relevant for the CVE-2024-21626 container escape vulnerability),” Docker explained.
“Potential impacts include unauthorized access to the host filesystem, compromising the integrity of the build cache, and, in the case of CVE-2024-21626, a scenario that could lead to full container escape,” it added.
Patches and mitigations are available for the Runc and BuildKit vulnerabilities. Users have been advised to install available patches and keep an eye out for updates from Kubernetes vendors, cloud container services, and open source communities that use the vulnerable components.
“You should upgrade systems running container engines and container build tools as soon as fixes are released by your providers,” Snyk urged users.