Miggo Logo

CVE-2016-9962: Information Exposure in RunC

6.4

CVSS Score
3.0

Basic Information

EPSS Score
0.43307%
Published
12/20/2021
Updated
1/9/2023
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/opencontainers/runcgo<= 1.0.0-rc21.0.0-rc3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two issues: 1) Processes created via 'runc exec' were not marked as non-dumpable (via prctl PR_SET_DMPUABLE), allowing ptrace access. 2) The stateDirFD file descriptor wasn't closed before execve, creating a race condition where PID 1 could access host files through open FDs. The patches (50a19c6/5d93fed) explicitly add PR_SET_DUMPABLE in nsexec.c and close stateDirFD in both init paths, confirming these were the vulnerable areas. The commit messages and CWE-200 mapping directly correlate to these code changes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Run* *llow** ***ition*l *ont*in*r pro**ss*s vi* 'run* *x**' to ** ptr**** *y t** pi* * o* t** *ont*in*r. T*is *llows t** m*in pro**ss*s o* t** *ont*in*r, i* runnin* *s root, to **in ****ss to *il*-**s*riptors o* t**s* n*w pro**ss*s *urin* t** initi*

Reasoning

T** vuln*r**ility st*mm** *rom two issu*s: *) Pro**ss*s *r**t** vi* 'run* *x**' w*r* not m*rk** *s non-*ump**l* (vi* pr*tl PR_S*T_*MPU**L*), *llowin* ptr*** ****ss. *) T** st*t**ir** *il* **s*riptor w*sn't *los** ***or* *x**v*, *r**tin* * r*** *on*it