PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products.
While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful exploitation of these vulnerabilities and are not impacted.
Cortex XSOAR 6 On Premise deployments using Docker 25.0.2 or later are not impacted.
At present, no other Palo Alto Networks products are known to contain the vulnerable software packages and be impacted by these issues.
Protecting our customers is our highest priority. Palo Alto Networks and its Unit 42 threat research team have closely monitored all developments. You can find technical details, regular updates and guidance here: https://www.paloaltonetworks.com/blog/prisma-cloud/leaky-vessels-vulnerabilities-container-escape/.
| CVE | Summary |
|---|---|
| CVE-2024-21626 | Several runc container breakouts due to internally leaked fds. |
| CVE-2024-23651 | BuildKit possible race condition with accessing subpaths from cache mounts. |
| CVE-2024-23652 | BuildKit possible host system access from mount stub cleaner. |
| CVE-2024-23653 | BuildKit interactive containers API does not validate entitlements check. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cortex XSOAR 6 Hosted | None | All |
| Cortex XSOAR 6 On Premise | None | All using Docker 25.0.2 or later |
| Cortex XSOAR 8 | None | All |
| Prisma Cloud Compute | None | All |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of these issues in any of our products. Proof of concepts for CVE-2024-21626 have been observed.
Weakness Type
CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-668 Exposure of Resource to Wrong Sphere
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-863 Incorrect Authorization
Solution
Cortex XSOAR 6 On Premise deployments should ensure use of Docker 25.0.2 or higher. For additional guidance in hardening Docker with Cortex XSOAR, please see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.5/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide.