CVE-2024-45310: 
cAdvisor vulnerability analysis and mitigation

CVE-2024-45310 affects runc, a CLI tool for spawning and running containers according to the OCI specification. The vulnerability was discovered and disclosed on September 3, 2024, affecting runc versions 1.1.13 and earlier, as well as 1.2.0-rc2 and earlier. The issue allows attackers to create empty files or directories in arbitrary locations in the host filesystem by exploiting a race condition with os.MkdirAll when sharing volumes between containers (GitHub Advisory, OSS Security).

The vulnerability stems from a race condition where runc can be tricked into creating empty files or directories outside the intended container filesystem. While SecureJoin is used to make target paths inside the container safe, it is not secure against path changes after resolution. The issue involves os.MkdirAll inadvertently following symlinks, potentially allowing directory creation on the host. The vulnerability has been assigned a CVSS v3.1 score of 3.6 (Low) with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N (GitHub Advisory).

While the vulnerability allows creation of empty files and directories in arbitrary locations, it cannot truncate existing files. The impact could potentially cause DoS issues, for example by creating directories in conf.d locations where daemons don't handle subdirectories properly. The scope of the attack can be significantly limited by user namespaces and LSM policies (OSS Security, OSS Security Discussion).

The issue has been fixed in runc versions 1.1.14 and 1.2.0-rc3. For users unable to upgrade immediately, several workarounds are available: Using user namespaces restricts the attack to directories where the remapped root user/group has write access, effectively limiting creation to world-writable directories in most cases. Additionally, implementing strict SELinux or AppArmor policies can restrict the scope if a specific label is applied to the runc runtime (GitHub Advisory).

Security researchers have debated the severity rating of the vulnerability, with some questioning whether arbitrary file creation should always be considered low severity. Discussions highlighted potential security implications of empty file creation in specific contexts, such as creating /etc/nologin or empty override files that might affect system service behavior (OSS Security Discussion).