CVE-2021-30465

Name of the Vulnerable Software and Affected Versions runc versions prior to 1.0.0-rc95

Description The issue allows a container filesystem breakout via directory traversal. To exploit this, an attacker must be able to create multiple containers with a fairly specific mount configuration. The problem occurs via a symlink-exchange attack that relies on a race condition, specifically a time-of-check-to-time-of-use (TOCTTOU) flaw. This can be exploited by creating a symlink in a volume to a top-level directory where volumes are sourced from, and then using that symlink as the target of a mount. The source of the mount is an attacker-controlled directory, allowing the attacker to bind-mount the host filesystem into the container. While recommended container hardening mechanisms such as LSMs (AppArmor/SELinux) and user namespaces can restrict the damage, they do not block this attack outright.

Recommendations For versions prior to 1.0.0-rc95, update to version 1.0.0-rc95 or later to fix the issue. As a temporary workaround, consider restricting access to the vulnerable runc functionality until a patch is applied, and enforce running containers with more confined security profiles, such as reduced capabilities, not running code as root in the container, user namespaces, AppArmor/SELinux, and seccomp.