嗯,用户让我帮忙总结一篇文章的内容,控制在一百个字以内,而且不需要特定的开头。首先,我需要仔细阅读文章内容,找出关键信息。 文章讲的是runC容器运行时被披露了三个新的漏洞,这些漏洞可能被利用来绕过隔离限制,访问宿主系统。runC是Docker和Kubernetes使用的,所以影响挺大的。漏洞的编号分别是CVE-2025-31133、CVE-2025-52565和CVE-2025-52881,都是由SUSE的工程师发现的。 接下来,文章详细说明了每个漏洞的原理。比如,CVE-2025-31133是利用bind-mounts来替换敏感文件,导致容器逃逸。其他两个漏洞也有类似的问题。这些漏洞影响不同版本的runC,并且已经有修复版本了。 用户的需求是总结内容,控制在一百字以内。所以我要提炼出最重要的信息:三个新漏洞、影响runC、可能导致容器逃逸、修复版本可用。 然后,我需要确保语言简洁明了,不使用复杂的术语。同时,避免使用“这篇文章”或“文章内容总结”这样的开头。 最后,检查字数是否符合要求。确保在一百字以内,并且信息准确全面。 </think> Docker和Kubernetes使用的runC容器运行时被披露三个新漏洞(CVE-2025-31133、CVE-2025-52565、CVE-2025-52881),可被利用绕过隔离限制并访问宿主系统。攻击者可能通过恶意容器镜像或Dockerfile实现利用。修复版本已发布。 2025-11-9 16:0:32 Author: www.bleepingcomputer.com(查看原文) 阅读量:6 收藏
Three newly disclosed vulnerabilities in the runC container runtime used in Docker and Kubernetes could be exploited to bypass isolation restrictions and get access to the host system.
The security issues, tracked as CVE-2025-31133, CVE-2025-52565, and CVE-2025-52881 (all ), were reported this week and disclosed by SUSE software engineer and Open Container Initiative (OCI) board member Aleksa Sarai.
runC is a universal container runtime and the OCI reference implementation for running containers. It is responsible for low-level operations such as creating the container process, setting up namespaces, mounts, and cgroups that higher-level tools, like Docker and Kubernetes, can call.
An attacker exploiting the vulnerabilities could obtain write access to the underlying container host with root privileges:
- CVE-2025-31133 — runC uses /dev/null bind-mounts to “mask” sensitive host files. If an attacker replaces /dev/null with a symlink during container init, runc can end up bind-mounting an attacker-controlled target read-write into the container — enabling writes to /proc, and container escape.
- CVE-2025-52565 — The /dev/console bind mount can be redirected via races/symlinks so that runc mounts an unexpected target into the container before protections are applied. That again can expose writable access to critical procfs entries and enable breakouts.
- CVE-2025-52881 — runC can be tricked into performing writes to /proc that are redirected to attacker-controlled targets. It can bypass LSM relabel protections in some variants and turns ordinary runc writes into arbitrary writes to dangerous files like /proc/sysrq-trigger.
CVE-2025-31133 and CVE-2025-52881 affect all versions of runC, while CVE-2025-52565 impacts runC versions 1.0.0-rc3 and later. Fixes are available in runC versions 1.2.8, 1.3.3, 1.4.0-rc.3, and later.
Exploitability and risk
Researchers at cloud security company Sysdig note that exploiting the three vulnerabilities "require the ability to start containers with custom mount configurations," which an attacker can achieve through malicious container images or Dockerfiles.
Currently, there have been no reports of any of the flaws being actively exploited in the wild.
In an advisory this week, Sysdig shares that attempts to exploit any of the three security issues can be detected by monitoring suspicious symlink behaviors.
RunC developers also shared mitigation actions, which include activating user namespaces for all containers without mapping the host root user into the container's namespace.
This precaution should block the most important parts of the attack because of the Unix DAC permissions that would prevent namespaced users from accessing relevant files.
Sysdig also recommends using rootless containers, if possible, to reduce the potential damage from exploiting a vulnerability.
7 Security Best Practices for MCP
As MCP (Model Context Protocol) becomes the standard for connecting LLMs to tools and data, security teams are moving fast to keep these new services safe.
This free cheat sheet outlines 7 best practices you can start using today.
如有侵权请联系:admin#unsafe.sh