CVE-2023-27561 is a vulnerability in the runc container runtime, specifically in versions up to 1.1.4, involving incorrect access control in the libcontainer/rootfs_linux.go file. This flaw allows an attacker with limited privileges (PR:L) and local access (AV:L) to escalate their privileges by exploiting the way runc handles volume mounts when spawning containers. The attacker must be able to create two containers with custom volume-mount configurations and run custom container images. The vulnerability is a regression of CVE-2019-19921, indicating that a previously fixed issue was reintroduced. The CVSS v3.1 score is 7.0 (high), reflecting high impact on confidentiality, integrity, and availability (C:H/I:H/A:H), but with high attack complexity (AC:H) and requiring local privileges. The vulnerability does not require user interaction (UI:N) and scope remains unchanged (S:U). Although no public exploits are known, the potential for privilege escalation within containerized environments is significant, especially in multi-tenant or shared infrastructure. This vulnerability affects any environment using runc up to 1.1.4, which is widely used as the default container runtime in Docker and Kubernetes environments. The root cause lies in improper validation and access control around volume mounts, which can be manipulated to gain unauthorized access to the host filesystem or escalate privileges.

For European organizations, the impact of CVE-2023-27561 is substantial, particularly for those heavily reliant on containerized infrastructure such as Docker and Kubernetes. Successful exploitation could allow attackers to escape container isolation, gaining elevated privileges on the host system, leading to full system compromise. This threatens confidentiality by exposing sensitive data, integrity by allowing unauthorized modifications, and availability by potentially disrupting container workloads or the host system. Organizations in sectors like finance, healthcare, and critical infrastructure, which increasingly adopt container technologies, face heightened risks. The vulnerability's requirement for local access limits remote exploitation but does not eliminate risk in environments where attackers can gain initial footholds, such as compromised developer machines, CI/CD pipelines, or multi-tenant cloud platforms. The regression nature of the vulnerability also suggests potential gaps in patch management and security testing processes. Without timely remediation, attackers could leverage this flaw to move laterally within networks, escalate privileges, and deploy persistent threats.

To mitigate CVE-2023-27561, organizations should immediately upgrade runc to a version later than 1.1.4 where the vulnerability is fixed. If upgrading is not immediately feasible, restrict permissions to create and run containers with custom volume mounts to trusted users only. Implement strict access controls and role-based access control (RBAC) policies in container orchestration platforms to limit who can spawn containers and specify volume mounts. Audit and monitor container creation activities for unusual patterns, especially the creation of multiple containers with custom volume mounts. Employ container security tools that can detect privilege escalation attempts and enforce runtime security policies. Regularly review and harden container host configurations, including kernel security settings and filesystem permissions. Integrate vulnerability scanning into CI/CD pipelines to detect vulnerable runc versions before deployment. Finally, educate developers and DevOps teams about the risks of running untrusted container images and the importance of least privilege principles.