Docker & Kubernetes container breakout security bug CVE-2024-21626 (Ep 253)
ฝัง
- เผยแพร่เมื่อ 7 ก.พ. 2024
- Last week, Snyk, announced multiple CVEs affecting Docker, containerd, AWS EKS, Red Hat, Ubuntu, and hundreds of products shipping runc or buildkit. I'll explain what's going on and how I see the risk in these vulnerabilities, and maybe we'll go down memory lane with a history of container breakout bugs.
Runc
CVE-2024-21626
BuildKit
CVE-2024-23650
CVE-2024-23651
CVE-2024-23652
CVE-2024-23653
Moby
CVE-2024-2455
🗞️ Sign up for my weekly newsletter for the latest on upcoming guests and what I'm releasing: www.bretfisher.com/newsletter/
Topics
=====
Snyk "Leaky Vessels" CVE-2024-21626 snyk.io/blog/cve-2024-21626-r...
Docker Security Advisory www.docker.com/blog/docker-se...
NVD CVE nvd.nist.gov/vuln/detail/CVE-...
Runc github.com/opencontainers/run...
The Secure Developer Podcast episode deep dive www.devseccon.com/the-secure-...
Bret Fisher
=========
/ bretfisher
/ bretefisher
www.bretfisher.com
Join my Community 🤜🤛
================
💌 Weekly newsletter on upcoming guests and stuff I'm working on: www.bretfisher.com/newsletter/
💬 Join the discussion on our Discord chat server / discord
👨🏫 Coupons for my Docker and Kubernetes courses www.bretfisher.com/courses/
🎙️ Podcast of this show www.bretfisher.com/podcast
Show Music 🎵
==========
waiting music: Jakarta - Bonsaye www.epidemicsound.com/track/Y...
intro music: I Need A Remedy (Instrumental Version) - Of Men And Wolves www.epidemicsound.com/track/z...
outro music: Electric Ballroom - Quesa www.epidemicsound.com/track/K... - วิทยาศาสตร์และเทคโนโลยี
thanks Bret. I learned something new each week
Thanks for watching!
Can this still be exploited inside a running container with an image you don't have access to? More specifically, an image managed by a k8s actions runner controller. What about a malicious Actions workflow to run jobs on said container?
It's only exploited during container startup, and could be in any image that someone previously exploited that you've downloaded to run, or if someone changes the runtime parameters on an existing image to startup with different settings. Once a container has started the COMMAND, you can't exploit it AFAIK.
Thanks for demonstration can this be exploited with synk tool
Which they have build
Can I use static code analyser to exploit this ?
*Promo SM* 😋