CRITICAL Patch AvailableCVE-2024-21626

Container Escape via Insecure WORKDIR Handling in Docker/Buildkit Affects GPU-based ML Workloads

Discovered 31 January 2025 2 views

Overview

A critical container escape vulnerability, part of the 'Leaky Vessels' series, was discovered in the handling of `WORKDIR` commands within container runtimes like runc and build systems like Docker's Buildkit. The vulnerability (CVE-2024-21626) allows an attacker to break out of the container isolation and gain access to the underlying host operating system. In an AI/ML context, this is particularly dangerous. An attacker could publish a malicious Dockerfile to a public registry. When a data scientist or MLOps pipeline uses this Dockerfile to build a container for a training or inference job, the build process itself triggers the vulnerability. Once the attacker escapes to the host, they can potentially access all other containers running on the system, steal sensitive data and model weights, or access powerful GPU hardware for unauthorized purposes like cryptocurrency mining. The impact is severe in multi-tenant Kubernetes clusters used for ML, where different teams' workloads are supposed to be securely isolated. A single malicious build could compromise the entire cluster.

Affected Systems

runc < 1.1.12Docker < 25.0.2Buildkit < 0.12.5

Testing Guide

1. **Check Runc Version**: On the container host, run the command `runc --version` to check its version. If it is below 1.1.12, the system is vulnerable. 2. **Check Docker Version**: Run `docker version` and check that the Server version is 25.0.2 or newer. 3. **Use a Vulnerability Scanner**: Run a host-level vulnerability scanner (like Trivy or Grype) on the container host nodes. It will detect outdated and vulnerable packages like runc. 4. **Attempt a Proof-of-Concept (In a controlled environment ONLY)**: Use a publicly available PoC Dockerfile for CVE-2024-21626 to build an image. During the build, observe if it's possible to read or write files outside the build context on the host filesystem.

Mitigation Steps

1. **Update Container Runtimes**: Immediately update Docker Engine, containerd, runc, and Buildkit to the patched versions (e.g., Docker 25.0.2+, runc 1.1.12+). 2. **Use Rootless Containers**: Whenever possible, run containers as a non-root user. This adds another layer of defense and can limit the impact of an escape. 3. **Scan Dockerfiles**: Use static analysis tools to scan Dockerfiles from untrusted sources for suspicious patterns or commands before building them. 4. **Apply Stricter Pod Security Policies**: In Kubernetes, apply Pod Security Standards like `Restricted` or use policy engines like Kyverno/OPA Gatekeeper to prevent containers from running with elevated privileges.

Patch Details

Patches are available in runc 1.1.12, Docker 25.0.2, and Buildkit 0.12.5. Users should upgrade their container infrastructure immediately.

Sources

← Back to vulnerabilities