How Chainguard protects against “Leaky Vessel” container escape vulnerabilities

Dan Luhring, Staff Software Engineer
  •  
February 1, 2024

The Snyk Security Labs team recently reported four vulnerabilities in widely used Docker container runtime components – coining the group “Leaky Vessels.” CVE-2024-21626 impacts the runc container runtime and could result in container escape to the underlying host operating system. runc is the backbone of how most container images are built and run today. The vulnerability can be exploited by running a malicious image or using runc exec to spawn a container with access to the host filesystem via the working directory.

Three other vulnerabilities in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653), were also reported. CVE-2024-23651, CVE-2024-23652 can result in container builds being able to access and delete items from the host filesystem to which they should not have access. CVE-2024-23653 can result in BuildKit being tricked into running containers with elevated privilege. Note that exploitation of these vulnerabilities requires the target to run a malicious build file.

Container escape attacks pose a dangerous threat to the cloud-native ecosystem as more organizations rely on these modern technologies to build and run applications and services. If attackers can trick users of container tools to build a malicious container image, this could result in access to potentially sensitive files and even access to the whole system. Improving the container security landscape is what we’ve set out to do at Chainguard by providing hardened, minimal container images that help to reduce a container's attack surface using a secure-by-default build process.

Docker issued patches for these vulnerabilities on January 31, 2024. If you are using vulnerable versions, make sure to upgrade to the patched versions of runc (1.1.12) and BuildKit (0.12.5). Check for updates from your container build and runtime vendors, Kubernetes orchestration platforms, cloud container services and open source projects.

How Chainguard Images protect you from container escape vulnerabilities 

The "Leaky Vessels" vulnerabilities impact how the majority of developers build container images today, which is by running containers to build images. However, because Chainguard Images are built with apko – which does not use runc or BuildKit – these vulnerabilities do not impact Chainguard’s image build process. We built apko from the ground up in order to have a container build system that is entirely declarative. Because apko doesn’t use running containers to build images, there’s no opportunity for this class of container escape vulnerabilities to compromise our build process or our build infrastructure.

That being said, some of our Images do include the runc and BuildKit components inside them, such as the Chainguard Image for BuildKit (cgr.dev/chainguard/buildkit:latest-root). If you are a Chainguard Images customer using one of these Images, all you need to do is pull the :latest or :latest-dev version, which have all been rebuilt and patched once the fixes were released. If you’re using one or more Chainguard Images as a base image for your own image, make sure to rebuild your image as soon as possible in order to pick up the patched versions of runc and BuildKit.

To keep our users informed, Chainguard published updated security advisories for CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653. 


Get started with Chainguard Images

According to Chainguard Labs research, popular container images, when not updated, accumulate one known vulnerability per day. Chainguard Images’ daily image rebuild policy ensures that you are using the latest, most up-to-date version of the container images you rely on to run your application securely. 

‍You can try Chainguard Images for free today to see for yourself how we're working to improve the container image security landscape. Our Developer Images are available on the :latest and :latest-dev versions only. Our Production Images inventory is always expanding for your enterprise needs. If you need something you don’t see listed in our Directory, let us know

Want to hear more from Chainguard and Snyk? Join our upcoming virtual discussion with Synk’s Director of DevSecOps Acceleration, Micah Silverman, Chainguard Staff Solutions Architect, Eric Smalling, and Engineering Manager, Priya Wadhwa to discuss how CISOs and developers can work better together to secure the software supply chain.

A huge kudos to our friends at Snyk for their work discovering and reporting the vulnerabilities and Docker’s security team response to issue fixes. 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Don’t break the chain – secure your supply chain today!

Security

How Chainguard protects against “Leaky Vessel” container escape vulnerabilities

Dan Luhring, Staff Software Engineer
February 1, 2024
copied

The Snyk Security Labs team recently reported four vulnerabilities in widely used Docker container runtime components – coining the group “Leaky Vessels.” CVE-2024-21626 impacts the runc container runtime and could result in container escape to the underlying host operating system. runc is the backbone of how most container images are built and run today. The vulnerability can be exploited by running a malicious image or using runc exec to spawn a container with access to the host filesystem via the working directory.

Three other vulnerabilities in BuildKit (CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653), were also reported. CVE-2024-23651, CVE-2024-23652 can result in container builds being able to access and delete items from the host filesystem to which they should not have access. CVE-2024-23653 can result in BuildKit being tricked into running containers with elevated privilege. Note that exploitation of these vulnerabilities requires the target to run a malicious build file.

Container escape attacks pose a dangerous threat to the cloud-native ecosystem as more organizations rely on these modern technologies to build and run applications and services. If attackers can trick users of container tools to build a malicious container image, this could result in access to potentially sensitive files and even access to the whole system. Improving the container security landscape is what we’ve set out to do at Chainguard by providing hardened, minimal container images that help to reduce a container's attack surface using a secure-by-default build process.

Docker issued patches for these vulnerabilities on January 31, 2024. If you are using vulnerable versions, make sure to upgrade to the patched versions of runc (1.1.12) and BuildKit (0.12.5). Check for updates from your container build and runtime vendors, Kubernetes orchestration platforms, cloud container services and open source projects.

How Chainguard Images protect you from container escape vulnerabilities 

The "Leaky Vessels" vulnerabilities impact how the majority of developers build container images today, which is by running containers to build images. However, because Chainguard Images are built with apko – which does not use runc or BuildKit – these vulnerabilities do not impact Chainguard’s image build process. We built apko from the ground up in order to have a container build system that is entirely declarative. Because apko doesn’t use running containers to build images, there’s no opportunity for this class of container escape vulnerabilities to compromise our build process or our build infrastructure.

That being said, some of our Images do include the runc and BuildKit components inside them, such as the Chainguard Image for BuildKit (cgr.dev/chainguard/buildkit:latest-root). If you are a Chainguard Images customer using one of these Images, all you need to do is pull the :latest or :latest-dev version, which have all been rebuilt and patched once the fixes were released. If you’re using one or more Chainguard Images as a base image for your own image, make sure to rebuild your image as soon as possible in order to pick up the patched versions of runc and BuildKit.

To keep our users informed, Chainguard published updated security advisories for CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653. 


Get started with Chainguard Images

According to Chainguard Labs research, popular container images, when not updated, accumulate one known vulnerability per day. Chainguard Images’ daily image rebuild policy ensures that you are using the latest, most up-to-date version of the container images you rely on to run your application securely. 

‍You can try Chainguard Images for free today to see for yourself how we're working to improve the container image security landscape. Our Developer Images are available on the :latest and :latest-dev versions only. Our Production Images inventory is always expanding for your enterprise needs. If you need something you don’t see listed in our Directory, let us know

Want to hear more from Chainguard and Snyk? Join our upcoming virtual discussion with Synk’s Director of DevSecOps Acceleration, Micah Silverman, Chainguard Staff Solutions Architect, Eric Smalling, and Engineering Manager, Priya Wadhwa to discuss how CISOs and developers can work better together to secure the software supply chain.

A huge kudos to our friends at Snyk for their work discovering and reporting the vulnerabilities and Docker’s security team response to issue fixes. 

Related articles

Ready to lock down your supply chain?

Talk to our customer obsessed, community-driven team.