CVE-2021-30465
published 2021-05-27CVE-2021-30465: runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create…
PriorityP355high8.5CVSS 3.1
AVNACHPRLUINSCCHIHAH
EPSS
6.60%
93.0th percentile
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.
Affected
11 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | runc | < runc 1.0.0~rc93+ds1-5 (bookworm) | runc 1.0.0~rc93+ds1-5 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| github.com | opencontainers_runc | >= 0 < 1.0.0-rc95 | 1.0.0-rc95 |
| linuxfoundation | runc | <= 0.1.1 | — |
| linuxfoundation | runc | — | — |
| linuxfoundation | runc | >= 0 < 1.0.0~rc93+ds1-5 | 1.0.0~rc93+ds1-5 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc93+ds1-5 | 1.0.0~rc93+ds1-5 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc93+ds1-5 | 1.0.0~rc93+ds1-5 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc93+ds1-5 | 1.0.0~rc93+ds1-5 |
| linuxfoundation | runc | >= 0 < 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm2 | 1.0.0~rc7+git20190403.029124da-0ubuntu1~16.04.4+esm2 |
CVSS provenance
nvdv3.18.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
ghsa8.5HIGH
osv8.5HIGH
vendor_debian8.5HIGH
vendor_redhat8.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
Mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs in github.com/opencontainers/runc
osv·2024-08-21
CVE-2021-30465 Mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs in github.com/opencontainers/runc
Mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs in github.com/opencontainers/runc
Mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs in github.com/opencontainers/runc
OSV
runc vulnerabilities
osv·2021-08-10·CVSS 7.5
CVE-2019-16884 [HIGH] runc vulnerabilities
runc vulnerabilities
It was discovered that runC incorrectly checked mount targets. An attacker
with a malicious container image could possibly mount over the /proc
directory and escalate privileges. (CVE-2019-16884)
Etienne Champetier discovered that runC incorrectly checked mount targets.
An attacker with a malicious container image could possibly mount the host
filesystem into the container and escalate privileges. (CVE-2021-30465)
OSV
CVE-2021-30465: runc before 1
osv·2021-05-27·CVSS 8.5
CVE-2021-30465 [HIGH] CVE-2021-30465: runc before 1
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.
OSV
mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs
osv·2021-05-25·CVSS 8.5
CVE-2021-30465 [HIGH] mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs
mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs
### Summary
runc 1.0.0-rc94 and earlier are vulnerable to a symlink exchange attack whereby
an attacker can request a seemingly-innocuous container configuration that
actually results in the host filesystem being bind-mounted into the container
(allowing for a container escape). CVE-2021-30465 has been assigned for this
issue.
An attacker must have the ability to start containers using some kind of custom
volume configuration, and while recommended container hardening mechanisms such
as LSMs (AppArmor/SELinux) and user namespaces will restrict the amount of
damage an attacker could do, they do not block this attack outright. We have a
reproducer using Kubernetes (and the below description mentions
GHSA
mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs
ghsa·2021-05-25·CVSS 8.5
CVE-2021-30465 [HIGH] CWE-22 mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs
mount destinations can be swapped via symlink-exchange to cause mounts outside the rootfs
### Summary
runc 1.0.0-rc94 and earlier are vulnerable to a symlink exchange attack whereby
an attacker can request a seemingly-innocuous container configuration that
actually results in the host filesystem being bind-mounted into the container
(allowing for a container escape). CVE-2021-30465 has been assigned for this
issue.
An attacker must have the ability to start containers using some kind of custom
volume configuration, and while recommended container hardening mechanisms such
as LSMs (AppArmor/SELinux) and user namespaces will restrict the amount of
damage an attacker could do, they do not block this attack outright. We have a
reproducer using Kubernetes (and the below description mentions
Ubuntu
runC vulnerabilities
vendor_ubuntu·2021-08-10·CVSS 7.5
CVE-2019-16884 [HIGH] runC vulnerabilities
Title: runC vulnerabilities
Summary: Several security issues were fixed in runC.
It was discovered that runC incorrectly checked mount targets. An attacker
with a malicious container image could possibly mount over the /proc
directory and escalate privileges. (CVE-2019-16884)
Etienne Champetier discovered that runC incorrectly checked mount targets.
An attacker with a malicious container image could possibly mount the host
filesystem into the container and escalate privileges. (CVE-2021-30465)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
runc: vulnerable to symlink exchange attack
vendor_redhat·2021-05-19·CVSS 8.5
CVE-2021-30465 [HIGH] CWE-367 runc: vulnerable to symlink exchange attack
runc: vulnerable to symlink exchange attack
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.
The runc package is vulnerable to a symlink exchange attack whereby an attacker can request a seemingly innocuous container configuration that results in the host filesystem being bind-mounted into the container. The highest threat from this vulnerability is to data confidentiality and integrity as well as to system availability.
Statement: OpenShift Container Platform OCP 3.11 be default uses Docker from RHEL-7 extras repository. If using OCP 3.11 up
Ubuntu
runC vulnerability
vendor_ubuntu·2021-05-19
CVE-2021-30465 runC vulnerability
Title: runC vulnerability
Summary: runC could be made to overwrite files as the administrator.
Etienne Champetier discovered that runC incorrectly checked mount targets.
An attacker with a malicious container image could possibly mount the host
filesystem into the container and escalate privileges.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2021-30465: runc - runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Trav...
vendor_debian·2021·CVSS 8.5
CVE-2021-30465 [HIGH] CVE-2021-30465: runc - runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Trav...
runc before 1.0.0-rc95 allows a Container Filesystem Breakout via Directory Traversal. To exploit the vulnerability, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition.
Scope: local
bookworm: resolved (fixed in 1.0.0~rc93+ds1-5)
bullseye: resolved (fixed in 1.0.0~rc93+ds1-5)
forky: resolved (fixed in 1.0.0~rc93+ds1-5)
sid: resolved (fixed in 1.0.0~rc93+ds1-5)
trixie: resolved (fixed in 1.0.0~rc93+ds1-5)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
http://www.openwall.com/lists/oss-security/2021/05/19/2http://www.openwall.com/lists/oss-security/2021/05/19/2https://bugzilla.opensuse.org/show_bug.cgi?id=1185405https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595fhttps://github.com/opencontainers/runc/releaseshttps://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7rhttps://lists.debian.org/debian-lts-announce/2023/03/msg00023.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV/https://security.gentoo.org/glsa/202107-26https://security.netapp.com/advisory/ntap-20210708-0003/http://www.openwall.com/lists/oss-security/2021/05/19/2http://www.openwall.com/lists/oss-security/2021/05/19/2https://bugzilla.opensuse.org/show_bug.cgi?id=1185405https://github.com/opencontainers/runc/commit/0ca91f44f1664da834bc61115a849b56d22f595fhttps://github.com/opencontainers/runc/releaseshttps://github.com/opencontainers/runc/security/advisories/GHSA-c3xm-pvg7-gh7rhttps://lists.debian.org/debian-lts-announce/2023/03/msg00023.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/35ZW6NBZSBH5PWIT7JU4HXOXGFVDCOHH/https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4HOARVIT47RULTTFWAU7XBG4WY6TDDHV/https://security.gentoo.org/glsa/202107-26https://security.netapp.com/advisory/ntap-20210708-0003/
2021-05-27
Published