CVE-2021-43784: Linuxfoundation Runc Privilege Escalation

CVE-2021-43784 Overview

CVE-2021-43784 is an integer overflow vulnerability in runc, the CLI tool for spawning and running containers on Linux according to the OCI specification. The vulnerability exists in how runc uses netlink as an internal serialization system for specifying container configuration to the C portion of the code responsible for namespace setup. The encoder failed to handle the possibility of an integer overflow in the 16-bit length field for byte array attribute types, allowing a large enough malicious byte array attribute to cause the length to overflow and have attribute contents parsed as netlink messages for container configuration.

Critical Impact

Attackers with control over container configuration can bypass namespace restrictions by injecting malicious netlink payloads that disable all namespaces, potentially escaping container isolation in shared cloud infrastructure environments.

Affected Products

• Linux Foundation runc versions prior to 1.0.3
• Debian Linux 9.0 (Stretch)
• Container platforms using vulnerable runc versions (Docker, Kubernetes, Podman)

Discovery Timeline

• 2021-12-06 - CVE CVE-2021-43784 published to NVD
• 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-43784

Vulnerability Analysis

This vulnerability is classified as CWE-190 (Integer Overflow or Wraparound). The flaw exists in the netlink message handling code within runc's libcontainer component. When runc initializes a container, it uses netlink binary format to communicate configuration parameters between the Go and C portions of the codebase. The netlink message format uses a 16-bit unsigned integer for the length field, which can only represent values up to 65,535 bytes.

When an attacker supplies a byte array attribute larger than this maximum value, the length field wraps around due to integer overflow. This causes the parser in the C code (nsexec.c) to misinterpret the remaining bytes of the oversized attribute as new netlink messages. Since these messages control namespace configuration, an attacker can craft payloads that effectively disable all namespace protections.

The attack requires the attacker to have some control over container configuration, making environments that run untrusted images with untrusted configurations particularly vulnerable, such as shared cloud infrastructure and multi-tenant container platforms.

Root Cause

The root cause is the lack of bounds checking in the netlink message encoder within libcontainer/message_linux.go. The encoder did not validate that byte array attributes would fit within the 16-bit length field before serialization. This oversight allowed oversized attributes to cause integer overflow, resulting in the length field wrapping around and subsequent bytes being misinterpreted as control messages.

Attack Vector

The attack requires network access with low privileges and exploits the container configuration mechanism. An attacker must have the ability to influence container configuration, typically by providing a malicious container image or configuration file. The attack path involves:

1. Crafting a container configuration with an oversized byte array attribute
2. The netlink encoder processes this attribute, causing the 16-bit length field to overflow
3. Bytes beyond the overflow point are interpreted as valid netlink messages
4. Attacker-controlled netlink payloads can disable namespace protections
5. Container escapes or privilege escalation becomes possible

// Security patch in libcontainer/container_linux.go - runc init: avoid netlink message length overflows
// Source: https://github.com/opencontainers/runc/commit/d72d057ba794164c3cce9451a00b72a78b25e1ae

	return data.Bytes(), nil
}

// netlinkError is an error wrapper type for use by custom netlink message
// types. Panics with errors are wrapped in netlinkError so that the recover
// in bootstrapData can distinguish intentional panics.
type netlinkError struct{ error }

// bootstrapData encodes the necessary data in netlink binary format
// as a io.Reader.
// Consumer can write the data to a bootstrap program
// such as one that uses nsenter package to bootstrap the container's
// init process correctly, i.e. with correct namespaces, uid/gid
// mapping etc.
-func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string, it initType) (io.Reader, error) {
+func (c *linuxContainer) bootstrapData(cloneFlags uintptr, nsMaps map[configs.NamespaceType]string, it initType) (_ io.Reader, Err error) {
	// create the netlink message
	r := nl.NewNetlinkRequest(int(InitMsg), 0)

+	// Our custom messages cannot bubble up an error using returns, instead
+	// they will panic with the specific error type, netlinkError. In that
+	// case, recover from the panic and return that as an error.
+	defer func() {
+		if r := recover(); r != nil {
+			if e, ok := r.(netlinkError); ok {
+				Err = e.error
+			} else {
+				panic(r)
+			}
+		}

Detection Methods for CVE-2021-43784

Indicators of Compromise

• Unusual netlink message sizes in container initialization logs exceeding 65,535 bytes
• Container processes running with unexpected namespace configurations or disabled namespaces
• Anomalous container escape attempts or privilege escalation events from container contexts
• Failed container initializations with netlink-related errors followed by successful starts with modified configurations

Detection Strategies

• Monitor runc version across all container hosts and flag systems running versions prior to 1.0.3
• Implement runtime security monitoring to detect containers with weakened or disabled namespace isolation
• Deploy file integrity monitoring on runc binaries to detect tampering or downgrades
• Use container image scanning to identify configurations with suspiciously large byte array attributes

Monitoring Recommendations

• Enable audit logging for all container creation events and capture namespace configuration details
• Monitor for containers running without expected namespace isolation (user, mount, network, PID namespaces)
• Track container runtime errors related to netlink message parsing or configuration handling
• Implement alerting for any container escape attempts or unexpected host namespace access

How to Mitigate CVE-2021-43784

Immediate Actions Required

• Upgrade runc to version 1.0.3 or later immediately across all container hosts
• Audit all running containers to ensure they are using namespace isolation as expected
• Review and restrict which users and systems can provide container configurations
• Implement image trust policies to prevent untrusted images from running on production systems

Patch Information

The vulnerability is fixed in runc version 1.0.3. Multiple commits address this issue:

• GitHub runc Commit Update - Opens bind mount sources from host userns
• GitHub runc Commit Fix - Avoids netlink message length overflows
• GitHub runc Commit Bug Patch - Merge pull request from GHSA-v95c-p5hm-xq8f

For Debian systems, refer to the Debian LTS Announcement December 2021 for distribution-specific patching guidance.

Workarounds

• Disallow untrusted namespace paths from container configurations to prevent namespace protection bypasses
• Restrict container image sources to trusted registries only and enforce image signing
• Implement strict admission control policies in Kubernetes or other orchestration platforms
• Use seccomp profiles and AppArmor/SELinux to limit container capabilities even if namespace isolation fails

# Configuration example - Verify runc version and update
# Check current runc version
runc --version

# Update runc on Debian/Ubuntu
sudo apt update && sudo apt install runc

# Update runc on RHEL/CentOS
sudo yum update runc

# Verify all containers have proper namespace isolation
docker inspect --format '{{.HostConfig.PidMode}} {{.HostConfig.NetworkMode}}' $(docker ps -q)