Keypoints
- Four vulnerabilities in Docker/runc and Buildkit (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653) enable container-to-host escape or host file manipulation when attackers can supply the Dockerfile.
- All issues rely on specially crafted Dockerfiles that trigger race conditions (TOCTOU) during image build, allowing attacker-controlled operations to occur on the host.
- CVE-2024-21626 abuses WORKDIR processing and proc file descriptors to create files on the host via /sys/fs/ or /proc/self/fd handling.
- CVE-2024-23651 and CVE-2024-23652 exploit mounts, symlinks, and RUN instructions to gain write access to host files (e.g., modifying cron entries) or delete arbitrary host files, causing persistence or DoS.
- CVE-2024-23653 uses Buildkit LLB directive manipulation to bypass validation and start containers with privileged=true, enabling straightforward breakout to the host.
- Sysdig/Falco rules provided detect: chdir to proc-based file descriptors, creation of symlinks over sensitive host paths, and the launch of privileged containers (with allow-listing recommended for trusted images).
MITRE Techniques
- [T1203] Exploitation of Vulnerabilities – Used to trigger race conditions in Dockerfile builds (TOCTOU) and execute unexpected actions during image build (‘…specially crafted Dockerfiles that cause race conditions to allow commands to run in an unexpected order.’)
- [T1068] Exploitation for Privilege Escalation – Employed to escape the container and gain host OS access after build-time manipulation (‘…allow an attacker to escape the container and gain access to the host operating system.’)
- [T1543] Create or Modify System Process – Abuse of successful write access to the host to install persistence (e.g., altered cron entries) for later command execution (‘…commonly seen as modified cron entries.’)
- [T1485] Data Destruction – Used to delete arbitrary files on the host via mount/symlink race conditions, enabling denial-of-service (‘…allow an attacker to delete an arbitrary file on the host OS.’)
- [T1611] Container Administration Command (Launch Privileged Containers) – Launching containers with privileged=true via Buildkit bypasses to obtain elevated container capabilities and facilitate host escape (‘…they can cause it to bypass certain security checks that would have prevented it from obtaining privileged access.’)
Indicators of Compromise
- [CVE IDs] referenced vulnerabilities – CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, CVE-2024-23653
- [File paths] sensitive host targets used in exploits – /etc/shadow, /etc/sudoers, and other entries in /etc (e.g., /etc/pam.conf), and /root
- [Proc/fs descriptors] abnormal directory actions – /proc/self/fd/ (chdir to proc file descriptor), /sys/fs/ (fd interception context)
- [Cron paths] persistence targets – /var/spool/cron, /etc/cron, /var/cron (used as examples of modified cron locations)
- [Build artefacts] build-time indicators – Dockerfile with custom Buildkit LLB directives, created symlinks during image build (and references to mount/symlink operations)
To detect exploitation of these build-time container vulnerabilities, monitor for three core behaviors during image build and container startup. First, flag processes performing chdir operations into proc-based file descriptors (e.g., paths starting with /proc/self/fd/), since CVE-2024-21626 relies on keeping access to file descriptors to write into host namespaces. Second, alert on symlink creation (symlink, symlinkat) that targets sensitive host paths such as /etc/shadow, /etc/sudoers, /root, or cron locations; CVE-2024-23651 and CVE-2024-23652 abuse TOCTOU race conditions involving mounts and symlinks to gain write access or delete host files. Third, detect containers launched with privileged=true that are not from allow-listed images, as CVE-2024-23653 enables bypassing Buildkit validations to start privileged containers and facilitate host escape.
Practical Falco detection implementations described include: (1) a rule matching evt.type=chdir with evt.arg.path starting with /proc/self/fd/ to catch suspicious directory changes into proc file descriptors; (2) a macro/rule that matches symlink or symlinkat events where the target equals or contains sensitive file or directory names (examples: /etc/shadow, /etc/sudoers, /var/spool/cron) to spot symlink-over-write attempts; and (3) a rule to alert on container_started events where container.privileged=true combined with image allow-list checks to identify unexpected privileged containers. Deploy these rules as custom Falco rules (OSS Falco or Sysdig Secure) and combine them with build-time image scanning, Dockerfile repository controls, and image allow-listing to reduce false positives and detect active exploitation.
Read more: https://sysdig.com/blog/exploitation-in-docker-and-kubernetes/