VDE-2024-016

Vulnerability from csaf_adstecindustrialitgmbh - Published: 2024-02-19 07:00 - Updated: 2025-05-22 13:03
Summary
ADS-TEC Industrial IT: Docker vulnerability affects multiple products
Notes
Summary: The affected products and versions present a vulnerability due to a vulnerable integrated software component the docker runc <= 1.1.11. In the worst-case scenario, the integrated Docker container environment could be compromised, potentially enabling the execution of arbitrary code within the Docker environment or neighboring Docker containers if dockerfiles or Docker images from untrusted sources are utilized. It's crucial to emphasize that while the Docker environment is vulnerable, the host operating system remains unharmed due to its isolation from the Docker environment within the ads-tec products. Using Docker images or Dockerfiles from untrusted sources poses a risk. This advice is especially pertinent for Docker use in productive operational technology (OT) environments, and it's our expectation that our customers adhere strictly to this guidance anyway.
Impact: In ads-tec products, Docker is integrated using a rootless mode, altering the impact of vulnerabilities. A potential attacker's ability to compromise the Docker environment is confined to the Docker user level and the writable, isolated ("chrooted") filesystem environment. As a result, while the attacker may affect all Docker containers on the system and potentially cause a denial of service (DoS) on the main operating system, they cannot directly compromise the main operating system's integrity.
Mitigation: Follow the suggestions of the Docker project: If you are unable to update to an unaffected version promptly after it is released, follow these best practices to mitigate risk: - Only use trusted Docker images - Don't build Docker images from untrusted sources or untrusted Dockerfiles. For users who wish to ensure their device remains secure and there is an indication that the device may have been compromised, we recommend updating the device firmware and reinstalling all Docker images. The update process for the device will clear and reset the writable parts of the chroot filesystem environment, ensuring no remnants are left behind. This precautionary measure is advised only if there's evidence suggesting that the docker environment on the device might be compromised.
Remediation: The issue is resolved with IRF1000 version 1.6.10 and IRF3000 version 1.3.10
CVE-2024-21626

runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem ("attack 2"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run ("attack 1"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes ("attack 3a" and "attack 3b"). runc 1.1.12 includes patches for this issue.

8.6 (High)
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE-668 - Exposure of Resource to Wrong Sphere
Mitigation Follow the suggestions of the Docker project:If you are unable to update to an unaffected version promptly after it is released, follow these best practices to mitigate risk: Only use trusted Docker images Don't build Docker images from untrusted sources or untrusted Dockerfiles. For users who wish to ensure their device remains secure and there is an indication that the device may havebeen compromised, we recommend updating the device firmware and reinstalling all Docker images. The update process for the device will clear and reset the writable parts of the chroot filesystem environment, ensuring no remnants are left behind. This precautionary measure is advised only if there's evidence suggesting that the docker environment on the device might be compromised.
Vendor Fix The issue is resolved with IRF1000 version 1.6.10 and IRF3000 version 1.3.10
References
Acknowledgments
CERT@VDE certvde.com
To clipboard 

{
  "document": {
    "acknowledgments": [
      {
        "organization": "CERT@VDE",
        "summary": "coordination",
        "urls": [
          "https://certvde.com"
        ]
      }
    ],
    "category": "csaf_security_advisory",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "en-GB",
    "notes": [
      {
        "category": "summary",
        "text": "The affected products and versions present a vulnerability due to a vulnerable integrated software component the docker runc \u003c= 1.1.11. In the worst-case scenario, the integrated Docker container environment could be compromised, potentially enabling the execution of arbitrary code within the Docker environment or neighboring Docker containers if dockerfiles or Docker images from untrusted sources are utilized.\n\nIt\u0027s crucial to emphasize that while the Docker environment is vulnerable, the host operating system remains\nunharmed due to its isolation from the Docker environment within the ads-tec products.\n\nUsing Docker images or Dockerfiles from untrusted sources poses a risk. This advice is especially pertinent for Docker use in productive operational technology (OT) environments, and it\u0027s our expectation that our customers adhere strictly to this guidance anyway.",
        "title": "Summary"
      },
      {
        "category": "description",
        "text": "In ads-tec products, Docker is integrated using a rootless mode, altering the impact of vulnerabilities. A potential attacker\u0027s ability to compromise the Docker environment is confined to the Docker user level and the writable, isolated (\"chrooted\") filesystem environment. As a result, while the attacker may affect all Docker containers on the system and potentially cause a denial of service (DoS) on the main operating system, they cannot directly compromise the main operating system\u0027s integrity.",
        "title": "Impact"
      },
      {
        "category": "description",
        "text": "Follow the suggestions of the Docker project:\nIf you are unable to update to an unaffected version promptly after it is released, follow these best practices to mitigate risk:\n\n- Only use trusted Docker images\n- Don\u0027t build Docker images from untrusted sources or untrusted Dockerfiles.\n\nFor users who wish to ensure their device remains secure and there is an indication that the device may have\nbeen compromised, we recommend updating the device firmware and reinstalling all Docker images. The update process for the device will clear and reset the writable parts of the chroot filesystem environment, ensuring no remnants are left behind. This precautionary measure is advised only if there\u0027s evidence suggesting that the docker environment on the device might be compromised.",
        "title": "Mitigation"
      },
      {
        "category": "description",
        "text": "The issue is resolved with IRF1000 version 1.6.10 and IRF3000 version 1.3.10",
        "title": "Remediation"
      }
    ],
    "publisher": {
      "category": "vendor",
      "contact_details": "psirt@ads-tec.de",
      "name": "ads-tec Industrial IT GmbH",
      "namespace": "https://www.ads-tec-iit.com"
    },
    "references": [
      {
        "category": "self",
        "summary": "VDE-2024-016: ADS-TEC Industrial IT: Docker vulnerability affects multiple products - HTML",
        "url": "https://certvde.com/en/advisories/VDE-2024-016/"
      },
      {
        "category": "self",
        "summary": "VDE-2024-016: ADS-TEC Industrial IT: Docker vulnerability affects multiple products - CSAF",
        "url": "https://ads-tec-iit.csaf-tp.certvde.com/.well-known/csaf/white/2024/vde-2024-016.json"
      },
      {
        "category": "external",
        "summary": "Vendor PSIRT",
        "url": "https://www.ads-tec-iit.com"
      },
      {
        "category": "external",
        "summary": "CERT@VDE Security Advisories for ads-tec Industrial IT GmbH",
        "url": "https://certvde.com/en/advisories/vendor/ads-tec-iit/"
      }
    ],
    "title": "ADS-TEC Industrial IT: Docker vulnerability affects multiple products",
    "tracking": {
      "aliases": [
        "VDE-2024-016"
      ],
      "current_release_date": "2025-05-22T13:03:10.000Z",
      "generator": {
        "date": "2025-04-24T07:23:02.245Z",
        "engine": {
          "name": "Secvisogram",
          "version": "2.5.23"
        }
      },
      "id": "VDE-2024-016",
      "initial_release_date": "2024-02-19T07:00:00.000Z",
      "revision_history": [
        {
          "date": "2024-02-19T07:00:00.000Z",
          "number": "1",
          "summary": "Initial revision."
        },
        {
          "date": "2025-05-22T13:03:10.000Z",
          "number": "2",
          "summary": "Fix: quotation mark"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_name",
                "name": "IRF1000",
                "product": {
                  "name": "IRF1000",
                  "product_id": "CSAFPID-11001",
                  "product_identification_helper": {
                    "model_numbers": [
                      "DVG-IRF1401, DVG-IRF1421"
                    ]
                  }
                }
              },
              {
                "category": "product_name",
                "name": "IRF3000",
                "product": {
                  "name": "IRF3000",
                  "product_id": "CSAFPID-11002",
                  "product_identification_helper": {
                    "model_numbers": [
                      "DVG-IRF3401, DVG-IRF3421, DVG-IRF3801. DVG-IRF3821"
                    ]
                  }
                }
              }
            ],
            "category": "product_family",
            "name": "Hardware"
          },
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c=1.6.9",
                "product": {
                  "name": "Firmware \u003c=1.6.9",
                  "product_id": "CSAFPID-21001"
                }
              },
              {
                "category": "product_version_range",
                "name": "\u003c=1.3.9",
                "product": {
                  "name": "Firmware \u003c=1.3.9",
                  "product_id": "CSAFPID-21002"
                }
              },
              {
                "category": "product_version",
                "name": "1.6.10",
                "product": {
                  "name": "Firmware 1.6.10",
                  "product_id": "CSAFPID-22001"
                }
              },
              {
                "category": "product_version",
                "name": "1.3.10",
                "product": {
                  "name": "Firmware 1.3.10",
                  "product_id": "CSAFPID-22002"
                }
              }
            ],
            "category": "product_family",
            "name": "Firmware"
          }
        ],
        "category": "vendor",
        "name": "ads-tec Industrial IT"
      }
    ],
    "product_groups": [
      {
        "group_id": "CSAFGID-0001",
        "product_ids": [
          "CSAFPID-31001",
          "CSAFPID-31002"
        ],
        "summary": "Affected products."
      },
      {
        "group_id": "CSAFGID-0002",
        "product_ids": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "summary": "Fixed products."
      }
    ],
    "relationships": [
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=1.6.9 installed on IRF1000",
          "product_id": "CSAFPID-31001"
        },
        "product_reference": "CSAFPID-21001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware \u003c=1.3.9 installed on IRF3000",
          "product_id": "CSAFPID-31002"
        },
        "product_reference": "CSAFPID-21002",
        "relates_to_product_reference": "CSAFPID-11002"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 1.6.10 installed on IRF1000",
          "product_id": "CSAFPID-32001"
        },
        "product_reference": "CSAFPID-22001",
        "relates_to_product_reference": "CSAFPID-11001"
      },
      {
        "category": "installed_on",
        "full_product_name": {
          "name": "Firmware 1.3.10 installed on IRF3000",
          "product_id": "CSAFPID-32002"
        },
        "product_reference": "CSAFPID-22002",
        "relates_to_product_reference": "CSAFPID-11002"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2024-21626",
      "cwe": {
        "id": "CWE-668",
        "name": "Exposure of Resource to Wrong Sphere"
      },
      "notes": [
        {
          "category": "description",
          "text": "runc is a CLI tool for spawning and running containers on Linux according to the OCI specification. In runc 1.1.11 and earlier, due to an internal file descriptor leak, an attacker could cause a newly-spawned container process (from runc exec) to have a working directory in the host filesystem namespace, allowing for a container escape by giving access to the host filesystem (\"attack 2\"). The same attack could be used by a malicious image to allow a container process to gain access to the host filesystem through runc run (\"attack 1\"). Variants of attacks 1 and 2 could be also be used to overwrite semi-arbitrary host binaries, allowing for complete container escapes (\"attack 3a\" and \"attack 3b\"). runc 1.1.12 includes patches for this issue. ",
          "title": "Vulnerability Description"
        }
      ],
      "product_status": {
        "fixed": [
          "CSAFPID-32001",
          "CSAFPID-32002"
        ],
        "known_affected": [
          "CSAFPID-31001",
          "CSAFPID-31002"
        ]
      },
      "remediations": [
        {
          "category": "mitigation",
          "details": "Follow the suggestions of the Docker project:If you are unable to update to an unaffected version promptly after it is released, follow these best practices to mitigate risk:\n\nOnly use trusted Docker images\nDon\u0027t build Docker images from untrusted sources or untrusted Dockerfiles.\n\nFor users who wish to ensure their device remains secure and there is an indication that the device may havebeen compromised, we recommend updating the device firmware and reinstalling all Docker images. The update process for the device will clear and reset the writable parts of the chroot filesystem environment, ensuring no remnants are left behind. This precautionary measure is advised only if there\u0027s evidence suggesting that the docker environment on the device might be compromised.",
          "group_ids": [
            "CSAFGID-0001"
          ]
        },
        {
          "category": "vendor_fix",
          "details": "The issue is resolved with IRF1000 version 1.6.10 and IRF3000 version 1.3.10",
          "group_ids": [
            "CSAFGID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 8.6,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "environmentalScore": 8.6,
            "environmentalSeverity": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "temporalScore": 8.6,
            "temporalSeverity": "HIGH",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-31001",
            "CSAFPID-31002"
          ]
        }
      ],
      "title": "CVE-2024-21626"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.