CVE-2023-27561 : runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privile

runc through 1.1.4 has Incorrect Access Control leading to Escalation of Privileges, related to libcontainer/rootfs_linux.go. To exploit this, an attacker must be able to spawn two containers with custom volume-mount configurations, and be able to run custom images. NOTE: this issue exists because of a CVE-2019-19921 regression.

Published 2023-03-03 19:15:11

Updated 2024-12-06 14:15:19

Source MITRE

View at NVD, CVE.org

Products affected by CVE-2023-27561

Debian » Debian Linux » Version: 10.0
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 8.0
cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
Matching versions
Redhat » Enterprise Linux » Version: 9.0
cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*
Matching versions
Redhat » Openshift Container Platform » Version: 4.0
cpe:2.3:a:redhat:openshift_container_platform:4.0:*:*:*:*:*:*:*
Matching versions
Linuxfoundation » Runc
Versions before (<) 1.1.5
cpe:2.3:a:linuxfoundation:runc:*:*:*:*:*:*:*:*
Matching versions

Threat overview for CVE-2023-27561

Top countries where our scanners detected CVE-2023-27561

Top open port discovered on systems with this issue 53

IPs affected by CVE-2023-27561 41,818

Threat actors abusing to this issue? Yes

Find out if you^* are affected by CVE-2023-27561!

^*Directly or indirectly through your vendors, service providers and 3rd parties. Powered by attack surface intelligence from SecurityScorecard.

Exploit prediction scoring system (EPSS) score for CVE-2023-27561

EPSS FAQ

0.11%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 30 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2023-27561

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
7.0	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2024-07-03
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
7.0	HIGH	CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H	1.0	5.9	NIST
Attack Vector: Local Attack Complexity: High Privileges Required: Low User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2023-27561

CWE-706 Use of Incorrectly-Resolved Name or Reference

The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2023-27561

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/

[SECURITY] Fedora 36 Update: runc-1.1.6-1.fc36 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/
https://github.com/opencontainers/runc/issues/2197#issuecomment-1437617334

[CVE-2019-19921]: Volume mount race condition with shared mounts · Issue #2197 · opencontainers/runc · GitHub
Issue Tracking;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DHGVGGMKGZSJ7YO67TGGPFEHBYMS63VF/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/

[SECURITY] Fedora 37 Update: runc-1.1.6-1.fc37 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FYVE3GB4OG3BNT5DLQHYO4M5SXX33AQ5/

[SECURITY] Fedora 38 Update: runc-1.1.6-1.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://security.netapp.com/advisory/ntap-20241206-0004/

CVE-2023-27561 runc Vulnerability in NetApp Products | NetApp Product Security
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I6BF24VCZRFTYBTT3T7HDZUOTKOTNPLZ/
https://lists.debian.org/debian-lts-announce/2023/03/msg00023.html

[SECURITY] [DLA 3369-1] runc security update
Mailing List;Third Party Advisory

CVEs referencing this url
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ANUGDBJ7NBUMSUFZUSKU3ZMQYZ2Z3STN/

[SECURITY] Fedora 37 Update: golang-github-opencontainers-runc-1.1.8-2.fc37 - package-announce - Fedora Mailing-Lists

CVEs referencing this url
https://gist.github.com/LiveOverflow/c937820b688922eb127fb760ce06dab9

runc_poc.md · GitHub
Exploit;Third Party Advisory
https://github.com/opencontainers/runc/issues/3751

CVE-2019-19921 re-introduction/regression · Issue #3751 · opencontainers/runc · GitHub
Issue Tracking;Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNB2UEDIIJCRQW4WJLZOPQJZXCVSXMLD/

[SECURITY] Fedora 38 Update: golang-github-opencontainers-runc-1.1.8-2.fc38 - package-announce - Fedora Mailing-Lists

CVEs referencing this url