CVE-2019-5736
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
74.6%
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
References
lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html
lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html
lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html
lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html
lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html
lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html
packetstormsecurity.com/files/163339/Docker-Container-Escape.html
packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html
www.openwall.com/lists/oss-security/2019/03/23/1
www.openwall.com/lists/oss-security/2019/06/28/2
www.openwall.com/lists/oss-security/2019/07/06/3
www.openwall.com/lists/oss-security/2019/07/06/4
www.openwall.com/lists/oss-security/2019/10/24/1
www.openwall.com/lists/oss-security/2019/10/29/3
www.openwall.com/lists/oss-security/2024/01/31/6
www.openwall.com/lists/oss-security/2024/02/01/1
www.openwall.com/lists/oss-security/2024/02/02/3
www.securityfocus.com/bid/106976
access.redhat.com/errata/RHSA-2019:0303
access.redhat.com/errata/RHSA-2019:0304
access.redhat.com/errata/RHSA-2019:0401
access.redhat.com/errata/RHSA-2019:0408
access.redhat.com/errata/RHSA-2019:0975
access.redhat.com/security/cve/cve-2019-5736
access.redhat.com/security/vulnerabilities/runcescape
aws.amazon.com/security/security-bulletins/AWS-2019-002/
azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/
azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/
blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
brauner.github.io/2019/02/12/privileged-containers.html
bugzilla.suse.com/show_bug.cgi?id=1121967
cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc
github.com/docker/docker-ce/releases/tag/v18.09.2
github.com/Frichetten/CVE-2019-5736-PoC
github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d
github.com/q3k/cve-2019-5736-poc
github.com/rancher/runc-cve
kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/
lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3%40%3Cdev.dlab.apache.org%3E
lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706%40%3Cuser.mesos.apache.org%3E
lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46%40%3Cdev.dlab.apache.org%3E
lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e%40%3Cdev.dlab.apache.org%3E
lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c%40%3Cdev.mesos.apache.org%3E
lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587%40%3Cdev.dlab.apache.org%3E
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2%40%3Cissues.geode.apache.org%3E
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/
lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/
security.gentoo.org/glsa/202003-21
security.netapp.com/advisory/ntap-20190307-0008/
softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944
support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_us
support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc
usn.ubuntu.com/4048-1/
www.exploit-db.com/exploits/46359/
www.exploit-db.com/exploits/46369/
www.openwall.com/lists/oss-security/2019/02/11/2
www.synology.com/security/advisory/Synology_SA_19_06
www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/
Social References
More
Related
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
8.8 High
AI Score
Confidence
High
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.004 Low
EPSS
Percentile
74.6%