Palo Alto Networks Security Advisories / PAN-SA-2024-0002

PAN-SA-2024-0002 Impact of Leaky Vessels Vulnerabilities (CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653)

Urgency N/A

047910
Severity 0 · NONE
Response Effort Not applicable
Recovery Not applicable
Value Density Not applicable
Attack Vector Not applicable
Attack Complexity Not applicable
Attack Requirements Not applicable
Automatable Not applicable
User Interaction Not applicable
Product Confidentiality NONE
Product Integrity NONE
Product Availability NONE
Privileges Required Not applicable
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

The Palo Alto Networks Product Security Assurance team has evaluated the four vulnerabilities in Open Container Initiative's runc and Moby BuildKit software (collectively known as "Leaky Vessels") as it relates to our products.

While Cortex XSOAR 8, Cortex XSOAR 6 Hosted, and Prisma Cloud Compute rely on this software, they do not offer any scenarios required for the successful exploitation of these vulnerabilities and are not impacted.

Cortex XSOAR 6 On Premise deployments using Docker 25.0.2 or later are not impacted.

At present, no other Palo Alto Networks products are known to contain the vulnerable software packages and be impacted by these issues.

Protecting our customers is our highest priority. Palo Alto Networks and its Unit 42 threat research team have closely monitored all developments. You can find technical details, regular updates and guidance here: https://www.paloaltonetworks.com/blog/prisma-cloud/leaky-vessels-vulnerabilities-container-escape/.

CVESummary
CVE-2024-21626Several runc container breakouts due to internally leaked fds.
CVE-2024-23651BuildKit possible race condition with accessing subpaths from cache mounts.
CVE-2024-23652BuildKit possible host system access from mount stub cleaner.
CVE-2024-23653BuildKit interactive containers API does not validate entitlements check.

Product Status

VersionsAffectedUnaffected
Cortex XSOAR 6 HostedNoneAll
Cortex XSOAR 6 On PremiseNoneAll using Docker 25.0.2 or later
Cortex XSOAR 8NoneAll
Prisma Cloud Compute NoneAll

Severity: NONE, Suggested Urgency: N/A

CVSS-B: 0.0 (CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of these issues in any of our products. Proof of concepts for CVE-2024-21626 have been observed.

Weakness Type

CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

CWE-668 Exposure of Resource to Wrong Sphere

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-863 Incorrect Authorization

Solution

Cortex XSOAR 6 On Premise deployments should ensure use of Docker 25.0.2 or higher. For additional guidance in hardening Docker with Cortex XSOAR, please see https://docs-cortex.paloaltonetworks.com/r/Cortex-XSOAR/6.5/Cortex-XSOAR-Administrator-Guide/Docker-Hardening-Guide.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.