CVE-2023-28642 Overview
CVE-2023-28642 is a security bypass vulnerability in runc, the CLI tool for spawning and running containers according to the OCI specification. The vulnerability allows attackers to bypass AppArmor security policies when /proc inside the container is symlinked with a specific mount configuration. This security mechanism bypass could enable malicious containers to perform actions that would otherwise be restricted by AppArmor profiles.
Critical Impact
Successful exploitation allows container escape scenarios where AppArmor restrictions are bypassed, potentially enabling unauthorized access to host resources and privilege escalation within containerized environments.
Affected Products
- Linux Foundation runc versions prior to 1.1.5
- Container orchestration platforms using vulnerable runc versions
- Docker and Kubernetes deployments with unpatched runc
Discovery Timeline
- 2023-03-29 - CVE-2023-28642 published to NVD
- 2024-12-06 - Last updated in NVD database
Technical Details for CVE-2023-28642
Vulnerability Analysis
This vulnerability stems from improper preservation of permissions (CWE-281) combined with improper link resolution before file access (CWE-59). The flaw allows an attacker to create a symlink for /proc inside a container that points to an attacker-controlled location. When combined with specific mount configurations, this symlink manipulation enables the bypass of AppArmor security profiles that normally restrict container behavior.
The attack requires local access with low privileges and no user interaction, affecting the confidentiality, integrity, and availability of the system. The vulnerability is contained within the scope of the affected container runtime environment.
Root Cause
The root cause lies in runc's handling of the /proc filesystem mount within containers. Prior to the fix, runc did not properly validate whether /proc was a symbolic link before mounting it. This oversight allowed attackers to manipulate the /proc path through symlinks, causing AppArmor to enforce policies on the wrong target, effectively bypassing container security restrictions.
Attack Vector
The attack requires local access to a container environment. An attacker would need to:
- Create a container with a malicious configuration that includes a symlinked /proc directory
- Configure specific mount options that exploit the symlink handling flaw
- Execute code within the container that leverages the AppArmor bypass to perform restricted operations
The vulnerability manifests when runc processes the symlinked /proc path without proper validation. When AppArmor profiles are applied, they may target the symlink destination rather than the actual /proc filesystem, allowing container processes to escape AppArmor restrictions. See the GitHub Pull Request #3785 for detailed technical information about the fix implementation.
Detection Methods for CVE-2023-28642
Indicators of Compromise
- Unusual symlink configurations within container filesystems, particularly involving /proc
- Container processes executing operations that should be blocked by AppArmor profiles
- Audit logs showing AppArmor profile enforcement failures or bypasses
- Unexpected mount configurations in running containers
Detection Strategies
- Monitor container runtime configurations for symlinked /proc directories
- Implement container image scanning to detect malicious configurations before deployment
- Enable AppArmor audit mode to log policy enforcement attempts and failures
- Use SentinelOne Singularity Platform for real-time container workload protection and anomaly detection
Monitoring Recommendations
- Audit container mount configurations for unexpected symlink usage
- Review AppArmor denial logs for patterns indicating bypass attempts
- Monitor runc version across all container hosts and ensure patching compliance
- Implement runtime security monitoring for container escape attempts
How to Mitigate CVE-2023-28642
Immediate Actions Required
- Upgrade runc to version 1.1.5 or later immediately
- Audit existing container images for symlinked /proc configurations
- Avoid running untrusted container images until patching is complete
- Enable enhanced container runtime monitoring through SentinelOne
Patch Information
The vulnerability has been fixed in runc version 1.1.5. The fix prohibits symlinked /proc directories within containers, preventing the AppArmor bypass condition. Organizations should update their container runtimes to the patched version as soon as possible.
For detailed patch information, refer to the GitHub Pull Request #3785 and the GitHub Security Advisory.
Workarounds
- Restrict container images to trusted sources only until patching is complete
- Implement additional container isolation using seccomp profiles alongside AppArmor
- Use read-only container filesystems where possible to prevent symlink creation
- Apply network segmentation to limit the impact of potential container escapes
# Verify runc version is patched
runc --version
# Expected: runc version 1.1.5 or higher
# Check for symlinked /proc in running containers
docker inspect --format '{{.Mounts}}' $(docker ps -q) | grep proc
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
