Executive Summary

This vulnerability in runc involves insufficient checks when bind-mounting /dev/pts/$n to /dev/console inside containers. An attacker can trick runc into bind-mounting paths that are normally read-only or masked onto writable paths. This can lead to denial of service or container breakout by allowing the attacker to write to sensitive files like /proc/sysrq-trigger or /proc/sys/kernel/core_pattern inside the container environment. The issue occurs after pivot_root, so it cannot be used to write directly to host files. It affects certain versions of runc and is fixed in versions 1.2.8, 1.3.3, and 1.4.0-rc.3.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause denial of service on the host or escape from the container environment (container breakout). By gaining writable access to normally protected system files within the container, an attacker could disrupt container or host operations or escalate privileges within the containerized environment.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate this vulnerability, you should upgrade runc to a fixed version: 1.2.8, 1.3.3, or 1.4.0-rc.3 or later. Avoid using vulnerable versions (1.0.0-rc3 through 1.2.7, 1.3.0-rc.1 through 1.3.2, and 1.4.0-rc.1 through 1.4.0-rc.2) to prevent the risk of container breakout or denial of service.

Useful 0 Not Useful 0