CVE-2021-30465 Overview
CVE-2021-30465 is a container filesystem breakout vulnerability affecting runc before version 1.0.0-rc95. This vulnerability enables directory traversal attacks through a symlink-exchange race condition, allowing attackers to escape container isolation and access the host filesystem. The exploitation requires the ability to create multiple containers with specific mount configurations, making it particularly relevant in multi-tenant container environments.
Critical Impact
This vulnerability allows container escape through a race condition during mount operations, potentially granting attackers access to the host filesystem and compromising container isolation boundaries.
Affected Products
- Linux Foundation runc versions prior to 1.0.0-rc95
- Linux Foundation runc 1.0.0-rc1 through 1.0.0-rc94
- Fedora Project Fedora 33 and 34
Discovery Timeline
- May 27, 2021 - CVE-2021-30465 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2021-30465
Vulnerability Analysis
CVE-2021-30465 represents a Time-of-Check Time-of-Use (TOCTOU) race condition vulnerability in the runc container runtime. The vulnerability exists within the mount destination validation logic in libcontainer/container_linux.go. During container creation, runc processes mount points without adequate protection against symlink manipulation between the validation and actual mount operations.
The attack exploits the window between when runc validates a mount destination path and when it actually performs the mount. An attacker with control over multiple containers can manipulate symbolic links during this race window, causing runc to mount host filesystem paths instead of the intended container-isolated paths. This effectively breaks the container filesystem isolation that is fundamental to container security.
The vulnerability has been documented in the GitHub Security Advisory GHSA-c3xm-pvg7-gh7r and discussed in detail on the Openwall OSS Security mailing list.
Root Cause
The root cause lies in the lack of atomic verification for mount destination paths within runc's mount handling code. The original implementation set m.Destination = dest without ensuring the path remained valid and unmodified throughout the mount operation. This gap allowed symbolic link manipulation between path validation and the actual MkdirAll call, creating an exploitable race condition.
The vulnerability was addressed by implementing secure path joining using the filepath-securejoin library, which provides protection against symlink-based path manipulation attacks.
Attack Vector
The attack requires the attacker to have the ability to create multiple containers with specific mount configurations. The attacker creates a malicious container configuration that exploits the race condition through symlink exchange:
- The attacker prepares a container with a mount destination that appears valid during initial validation
- A second container or process rapidly swaps a symlink at the mount destination path
- When runc proceeds with the mount operation, it follows the swapped symlink to an attacker-controlled location on the host filesystem
- The container gains access to host filesystem paths, breaking isolation
The security patch implemented mount destination validation with secure path resolution:
import (
"encoding/binary"
"encoding/json"
"fmt"
"io"
"os"
"path/filepath"
"strconv"
"strings"
"unsafe"
"github.com/cyphar/filepath-securejoin"
"golang.org/x/sys/unix"
)
Source: GitHub runc Commit Update
The fix also removed the vulnerable destination assignment pattern:
if err := checkProcMount(c.config.Rootfs, dest, ""); err != nil {
return err
}
- m.Destination = dest
if err := os.MkdirAll(dest, 0755); err != nil {
return err
}
Source: GitHub runc Commit Update
Detection Methods for CVE-2021-30465
Indicators of Compromise
- Unusual container mount configurations with unexpected or suspicious destination paths
- Rapid creation and deletion of containers with specific mount specifications
- Symlink creation or modification activity within container namespaces
- Access to host filesystem paths from within container processes
- Evidence of race condition exploitation through rapid file system operations
Detection Strategies
- Monitor container runtime logs for unusual mount operations or mount-related errors
- Implement file integrity monitoring on critical host filesystem paths that should not be accessed by containers
- Deploy runtime security tools that detect symlink manipulation attempts during container creation
- Audit container configurations for suspicious or overly permissive mount specifications
Monitoring Recommendations
- Enable detailed logging for runc and container runtime operations
- Monitor for unexpected process access to host filesystem paths from container contexts
- Implement alerting for rapid container creation patterns that may indicate exploitation attempts
- Review container orchestration logs for unusual mount configuration requests
How to Mitigate CVE-2021-30465
Immediate Actions Required
- Upgrade runc to version 1.0.0-rc95 or later immediately
- Review and audit existing container configurations for suspicious mount specifications
- Implement network segmentation and access controls to limit potential attackers' ability to create containers
- Enable enhanced container runtime monitoring and logging
Patch Information
The vulnerability is fixed in runc version 1.0.0-rc95. The patch introduces the filepath-securejoin library for secure path resolution and removes the vulnerable destination assignment pattern that enabled symlink manipulation. The fix is available in the GitHub runc Commit. Additional distribution-specific patches are available through Fedora, Gentoo, and Debian.
Workarounds
- Restrict container creation privileges to trusted users and workloads only
- Implement Pod Security Policies or equivalent admission controls in Kubernetes to limit mount capabilities
- Use SELinux or AppArmor policies to restrict container filesystem access
- Monitor and audit container runtime activity for anomalous behavior
# Verify runc version and update if vulnerable
runc --version
# Expected output should show version 1.0.0-rc95 or higher
# Update runc on systems using package managers
# For Fedora:
dnf update runc
# For Debian/Ubuntu:
apt-get update && apt-get upgrade runc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
