Article Details

Leaky Vessels flaws allow hackers to escape Docker, runc containers. Four vulnerabilities collectively called "Leaky Vessels" allow hackers to escape containers and access data on the underlying host operating system. The flaws were discovered by Snyk security researcher Rory McNamara in November 2023, who reported them to impacted parties for fixing. Snyk has found no signs of active exploitation of the Leaky Vessels flaws in the wild, but the publicity could change the exploitation status, so all impacted system admins are recommended to apply the available security updates as soon as possible. Escaping containers Containers are applications packaged into a file that contains all the runtime dependencies, executables, and code required to run an application. These containers are executed by platforms like Docker and Kubernetes that run the application in a virtualized environment isolated from the operating system. Container escape occurs when an attacker or a malicious application breaks out of the isolated container environment and gains unauthorized access to the host system or other containers. Snyk team has found four vulnerabilities collectively called "Leaky Vessels" that impact the runc and Buildkit container infrastructure and build tools, potentially allowing attackers to perform container escape on various software products. As runc or Buildkit are used by a wide range of popular container management software, such as Docker and Kubernetes, the exposure to attacks becomes far more significant. The Leaky Vessels flaws are summarized below: Impact and remediation Buildkit and runc are widely used by popular projects like Docker and multiple Linux distributions. Due to this, the patching of the "Leaky Vessels" vulnerabilities involved coordinated actions among the security research team at Snyk, the maintainers of the affected components (runc and BuildKit), and the broader container infrastructure community. On January 31, 2024, Buildkit fixed the flaws with version 0.12.5, and runc addressed the security issue impacting it on version 1.1.12. Docker released version 4.27.0 on the same day, incorporating the secured versions of the components in its Moby engine, with versions 25.0.1 and 24.0.8. Amazon Web Services, Google Cloud, and Ubuntu also published relevant security bulletins, guiding users through the appropriate steps to resolve the flaws in their software and services. Finally, CISA also published an alert urging cloud system admins to take the appropriate action to secure their systems from potential exploitation.