GMS-2024-65: Talos Linux ships runc vulnerable to the escape to the host attack

February 2, 2024

Impact

Snyk has discovered a vulnerability in all versions of runc <=1.1.11, as used by the Docker engine, along with other containerization technologies such as Kubernetes. Exploitation of this issue can result in container escape to the underlying host OS, either through executing a malicious image or building an image using a malicious Dockerfile or upstream image (i.e., when using FROM). This issue has been assigned the CVE-2024-21626.

Patches

runc runtime was updated to 1.1.12 in Talos v1.5.6 and v1.6.4.

Workarounds

Inspect the workloads running on the cluster to make sure they are not trying to exploit the vulnerability.

References

CVE-2024-21626
Vulnerability: runc process.cwd and leaked fds container breakout

References

github.com/advisories/GHSA-g5p6-327m-3fxx
github.com/siderolabs/talos/security/advisories/GHSA-g5p6-327m-3fxx

Detect and mitigate GMS-2024-65 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →