Detecting 'Leaky Vessels' Exploitation in Docker and Kubernetes

In a recent announcement, Snyk identified four critical vulnerabilities in Kubernetes and Docker, which could lead to supply chain attacks if exploited by attackers who gain control over Dockerfiles. These vulnerabilities, labeled CVE-2024-21626, CVE-2024-23651, CVE-2024-23652, and CVE-2024-23653, involve race conditions and flawed validation processes that allow attackers to gain host operating system access, launch denial of service attacks, or escape containers to the host environment. The vulnerabilities highlight specific issues such as improper handling of the WORKDIR command, exploitation of mount and symlink commands, and bypassing security checks in Buildkit. The article provides Falco rules to detect exploitation attempts, emphasizing the importance of updating Docker and Kubernetes software to mitigate these high-severity threats. Falco's detection capabilities, integrated into Sysdig Secure, offer real-time monitoring to safeguard cloud infrastructure against these evolving threats, urging users and developers to be vigilant as Docker poses a risk of unauthorized access to workstations and networks.