HackMD
Container Breakout Vulnerabilities
A list of CVEs in the various parts of the container stack that could allow for unauthorised access to host resources (e.g. filesystem, network stack) from a container.
With Linux issues it can be a bit tricky to say if they're container escapes or not so generally looking at ones where container escape has been demonstrated.
Linux CVEs
- CVE-2022-0185 - Local privilege escalation, needs CAP_SYS_ADMIN either at the host level or in a user namesspace
- CVE-2021-31440 - eBPF incorrect bounds calculation allows for privesc.
- CVE-2017-1000112 - memory corruption in UFO packets.
- CVE-2016-5195 - (a.k.a 'dirty CoW') - race condition leading to incorrect handling of Copy on Write.
- CVE-2017-5123 - vulnerability in the WaitID syscall.
runc CVEs
- CVE-2021-30465 - race condition when mounting volumes into a container allows for host access.
- CVE-2019-5736 - overwrite runc binary on the host system at container start.
- CVE-2016-9962 - access to a host file descriptor allows for breakout.
Docker CVEs
- CVE-2021-21284 - When using user namespaces, a user with some access to the host filesystem can modify files which they should not have access to.
Kubernetes CVES
- CVE-2021-25741 - race condition in when using hostPath volumes allows for privileged access to host filesystem
- CVE-2021-25737 - unauthorized access to host network stack by using endpoint slices
- CVE-2017-1002101 - subpath volume mount handling allows arbitrary file access in host filesystem
- CVE-2017-1002102 - Arbitrary deletion of files on the host possible when using some Kubernetes volume types
Reference Links
- Linux Kernel Exploitation - Extensive maintained list of links relating to Linux Kernel Exploitation
- Hacking Kubernetes - Hacking Kubernetes book site has a set of Container Breakout CVEs
