Detections
Analytics
Debian dla-3735 : golang-github-opencontainers-runc-dev - security update
high Nessus Plugin ID 190686
Language:
Synopsis
The remote Debian host is missing one or more security-related updates.Description
The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3735 advisory.- runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc, netlink is used internally as a serialization system for specifying the relevant container configuration to the `C` portion of the code (responsible for the based namespace setup of containers). In all versions of runc prior to 1.0.3, the encoder did not handle the possibility of an integer overflow in the 16-bit length field for the byte array attribute type, meaning that a large enough malicious byte array attribute could result in the length overflowing and the attribute contents being parsed as netlink messages for container configuration. This vulnerability requires the attacker to have some control over the configuration of the container and would allow the attacker to bypass the namespace restrictions of the container by simply adding their own netlink payload which disables all namespaces. The main users impacted are those who allow untrusted images with untrusted configurations to run on their machines (such as with shared cloud infrastructure). runc version 1.0.3 contains a fix for this bug. As a workaround, one may try disallowing untrusted namespace paths from your container. It should be noted that untrusted namespace paths would allow the attacker to disable namespace protections entirely even in the absence of this bug. (CVE-2021-43784)
- runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (attack 2). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (attack 1). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (attack 3a and attack 3b). runc 1.1.12 includes patches for this issue. (CVE-2024-21626)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the golang-github-opencontainers-runc-dev packages.See Also
https://security-tracker.debian.org/tracker/source-package/runc
https://security-tracker.debian.org/tracker/CVE-2021-43784
Plugin Details
Severity: High
ID: 190686
File Name: debian_DLA-3735.nasl
Version: 1.1
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 2/19/2024
Updated: 2/20/2024
Supported Sensors: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Critical
Score: 9.9
CVSS v2
Risk Factor: Medium
Base Score: 6
Temporal Score: 5
Vector: CVSS2#AV:N/AC:M/Au:S/C:P/I:P/A:P
CVSS Score Source: CVE-2021-43784
CVSS v3
Risk Factor: High
Base Score: 8.6
Temporal Score: 8
Vector: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
CVSS Score Source: CVE-2024-21626
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:golang-github-opencontainers-runc-dev, p-cpe:/a:debian:debian_linux:runc, cpe:/o:debian:debian_linux:10.0
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 2/19/2024
Vulnerability Publication Date: 12/6/2021
Exploitable With
Metasploit (runc (docker) File Descriptor Leak Privilege Escalation)
Reference Information
CVE: CVE-2021-43784, CVE-2024-21626
IAVA: 2024-A-0071