CVE-2023-27561 Overview
CVE-2023-27561 is a privilege escalation vulnerability affecting runc, the widely-used container runtime that underpins Docker, Kubernetes, and other container orchestration platforms. The vulnerability stems from incorrect access control in the libcontainer/rootfs_linux.go component, allowing attackers with the ability to spawn containers to escalate privileges on the host system.
This issue represents a regression of CVE-2019-19921, a previously patched vulnerability that was inadvertently reintroduced. Exploitation requires an attacker to spawn two containers with custom volume-mount configurations and run custom images, making it particularly relevant in multi-tenant container environments.
Critical Impact
Attackers can escalate privileges from within a container to potentially compromise the host system, breaking container isolation boundaries in enterprise container deployments.
Affected Products
- Linux Foundation runc through version 1.1.4
- Red Hat OpenShift Container Platform 4.0
- Red Hat Enterprise Linux 8.0 and 9.0
- Debian Linux 10.0
Discovery Timeline
- 2023-03-03 - CVE-2023-27561 published to NVD
- 2024-12-06 - Last updated in NVD database
Technical Details for CVE-2023-27561
Vulnerability Analysis
The vulnerability resides in the rootfs handling mechanism within runc's libcontainer/rootfs_linux.go file. When containers are configured with custom volume mounts, the access control logic fails to properly validate and restrict file system operations, creating a window for privilege escalation attacks.
This is categorized under CWE-706 (Use of Incorrectly-Resolved Name or Reference), indicating that the vulnerable code improperly resolves or handles file system references during container initialization. The regression from CVE-2019-19921 suggests that a previous fix was either incomplete or inadvertently removed during subsequent code changes.
The attack requires local access with low privileges, but the complexity is high due to the specific conditions needed—namely, the ability to spawn two containers simultaneously with precise volume-mount configurations. Successful exploitation impacts confidentiality, integrity, and availability of the host system.
Root Cause
The root cause lies in the improper handling of file system references during the container rootfs setup process. When processing volume mounts between containers, the code fails to adequately verify the legitimacy of mount point references, allowing an attacker to manipulate these references to gain unauthorized access to host resources.
This regression indicates that the original fix for CVE-2019-19921 did not account for all attack scenarios involving symlink-based attacks or race conditions during the mount process.
Attack Vector
The attack requires local access to the container runtime with the ability to create and configure containers. The attacker must:
- Create two containers with specifically crafted volume-mount configurations
- Manipulate the timing of container startup to exploit race conditions in the rootfs setup
- Use custom container images that facilitate the exploitation process
The exploitation leverages the incorrect access control to escape container boundaries and execute operations with elevated privileges on the host system. A proof-of-concept demonstrating this attack has been documented in a GitHub Gist by LiveOverflow.
Detection Methods for CVE-2023-27561
Indicators of Compromise
- Unusual container spawning patterns involving pairs of containers with custom volume mounts
- Unexpected file system access attempts from container processes targeting host paths
- Container escape indicators such as processes running outside expected namespaces
- Anomalous mount operations in container audit logs
Detection Strategies
- Monitor runc and container runtime logs for errors related to volume mount operations
- Implement audit rules to detect suspicious mount namespace operations
- Use container security tools to flag containers with unusual volume-mount configurations
- Deploy runtime security solutions like SentinelOne Singularity for real-time container threat detection
Monitoring Recommendations
- Enable detailed logging for container runtime operations including mount events
- Set up alerts for containers running with privileged volume-mount configurations
- Monitor for rapid successive container creation attempts from the same user or service account
- Track file access patterns that cross container boundaries
How to Mitigate CVE-2023-27561
Immediate Actions Required
- Upgrade runc to version 1.1.5 or later which addresses this vulnerability
- Audit existing containers for suspicious volume-mount configurations
- Restrict container creation permissions to trusted users and service accounts only
- Apply vendor-specific patches from Red Hat, Debian, and Fedora as applicable
Patch Information
Security updates addressing this vulnerability are available from multiple vendors:
- Debian: Security patches are available through the Debian LTS Security Announcement
- Fedora: Updates distributed via Fedora Package Announcements
- Red Hat: Patches available for OpenShift Container Platform and Enterprise Linux through Red Hat's security advisory channels
- NetApp: Advisory available for affected NetApp products via NetApp Security Advisory
The upstream fix is tracked in the runc GitHub Issue #3751.
Workarounds
- Disable custom volume mounts where not strictly required
- Implement pod security policies or admission controllers to restrict volume-mount configurations
- Use read-only root filesystems for containers where possible
- Apply SELinux or AppArmor profiles to limit container capabilities
# Verify runc version and check for vulnerability
runc --version
# Example: Restrict volume mounts via Kubernetes PodSecurityPolicy
# Ensure containers cannot mount sensitive host paths
kubectl apply -f - <<EOF
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: restricted-volumes
spec:
volumes:
- 'configMap'
- 'emptyDir'
- 'secret'
- 'persistentVolumeClaim'
allowedHostPaths: []
EOF
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
