Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2023-28642

CVE-2023-28642: Linuxfoundation Runc Auth Bypass Flaw

CVE-2023-28642 is an authentication bypass flaw in Linuxfoundation Runc that allows AppArmor bypass via symlinked /proc. This post covers the technical details, affected versions, security impact, and mitigation.

Published:

CVE-2023-28642 Overview

CVE-2023-28642 is a security bypass vulnerability in runc, the CLI tool for spawning and running containers according to the OCI specification. The vulnerability allows attackers to bypass AppArmor security policies when /proc inside the container is symlinked with a specific mount configuration. This security mechanism bypass could enable malicious containers to perform actions that would otherwise be restricted by AppArmor profiles.

Critical Impact

Successful exploitation allows container escape scenarios where AppArmor restrictions are bypassed, potentially enabling unauthorized access to host resources and privilege escalation within containerized environments.

Affected Products

  • Linux Foundation runc versions prior to 1.1.5
  • Container orchestration platforms using vulnerable runc versions
  • Docker and Kubernetes deployments with unpatched runc

Discovery Timeline

  • 2023-03-29 - CVE-2023-28642 published to NVD
  • 2024-12-06 - Last updated in NVD database

Technical Details for CVE-2023-28642

Vulnerability Analysis

This vulnerability stems from improper preservation of permissions (CWE-281) combined with improper link resolution before file access (CWE-59). The flaw allows an attacker to create a symlink for /proc inside a container that points to an attacker-controlled location. When combined with specific mount configurations, this symlink manipulation enables the bypass of AppArmor security profiles that normally restrict container behavior.

The attack requires local access with low privileges and no user interaction, affecting the confidentiality, integrity, and availability of the system. The vulnerability is contained within the scope of the affected container runtime environment.

Root Cause

The root cause lies in runc's handling of the /proc filesystem mount within containers. Prior to the fix, runc did not properly validate whether /proc was a symbolic link before mounting it. This oversight allowed attackers to manipulate the /proc path through symlinks, causing AppArmor to enforce policies on the wrong target, effectively bypassing container security restrictions.

Attack Vector

The attack requires local access to a container environment. An attacker would need to:

  1. Create a container with a malicious configuration that includes a symlinked /proc directory
  2. Configure specific mount options that exploit the symlink handling flaw
  3. Execute code within the container that leverages the AppArmor bypass to perform restricted operations

The vulnerability manifests when runc processes the symlinked /proc path without proper validation. When AppArmor profiles are applied, they may target the symlink destination rather than the actual /proc filesystem, allowing container processes to escape AppArmor restrictions. See the GitHub Pull Request #3785 for detailed technical information about the fix implementation.

Detection Methods for CVE-2023-28642

Indicators of Compromise

  • Unusual symlink configurations within container filesystems, particularly involving /proc
  • Container processes executing operations that should be blocked by AppArmor profiles
  • Audit logs showing AppArmor profile enforcement failures or bypasses
  • Unexpected mount configurations in running containers

Detection Strategies

  • Monitor container runtime configurations for symlinked /proc directories
  • Implement container image scanning to detect malicious configurations before deployment
  • Enable AppArmor audit mode to log policy enforcement attempts and failures
  • Use SentinelOne Singularity Platform for real-time container workload protection and anomaly detection

Monitoring Recommendations

  • Audit container mount configurations for unexpected symlink usage
  • Review AppArmor denial logs for patterns indicating bypass attempts
  • Monitor runc version across all container hosts and ensure patching compliance
  • Implement runtime security monitoring for container escape attempts

How to Mitigate CVE-2023-28642

Immediate Actions Required

  • Upgrade runc to version 1.1.5 or later immediately
  • Audit existing container images for symlinked /proc configurations
  • Avoid running untrusted container images until patching is complete
  • Enable enhanced container runtime monitoring through SentinelOne

Patch Information

The vulnerability has been fixed in runc version 1.1.5. The fix prohibits symlinked /proc directories within containers, preventing the AppArmor bypass condition. Organizations should update their container runtimes to the patched version as soon as possible.

For detailed patch information, refer to the GitHub Pull Request #3785 and the GitHub Security Advisory.

Workarounds

  • Restrict container images to trusted sources only until patching is complete
  • Implement additional container isolation using seccomp profiles alongside AppArmor
  • Use read-only container filesystems where possible to prevent symlink creation
  • Apply network segmentation to limit the impact of potential container escapes
bash
# Verify runc version is patched
runc --version
# Expected: runc version 1.1.5 or higher

# Check for symlinked /proc in running containers
docker inspect --format '{{.Mounts}}' $(docker ps -q) | grep proc

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne