Lucene search

K
thnThe Hacker NewsTHN:B0FC327500C590C565FC4F46D8DCDD34
HistoryFeb 12, 2019 - 8:59 a.m.

RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts

2019-02-1208:59:00
The Hacker News
thehackernews.com
146

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

64.0%

linux container runc docker hack

A serious security vulnerability has been discovered in the core runCcontainer code that affects several open-source container management systems, potentially allowing attackers to escape Linux container and obtain unauthorized, root-level access to the host operating system.

The vulnerability, identified as CVE-2019-5736, was discovered by open source security researchers Adam Iwaniuk and Borys Popławski and publicly disclosed by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday.

The flaw resides in runC—a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel.

Originally created by Docker, runC is the default container run-time for Docker, Kubernetes, ContainerD, CRI-O, and other container-dependent programs, and is widely being used by major cloud hosting and server providers.

runC Container Escape Vulnerability [CVE-2019-5736]

Though researchers have not yet released full technical details of the flaw to give people time to patch, the Red Hat advisory says the “flaw was found in the way runC handled system file descriptors when running containers.”

Thus, a specially-crafted malicious container or an attacker having root access to a container could exploit this flaw (with minimal user interaction) to gain administrative privileges on the host machine running the container, eventually compromising the hundreds-to-thousands of other containers running on it.

For root access to the container, the attacker has to either:

  • create a new container using an attacker-controlled image, or
  • attach (docker exec) into an existing container which the attacker had previous write access to.
    “A malicious container [then] could use this flaw to overwrite contents of the runC binary and consequently run arbitrary commands on the container host system,” the advisory states.

How bad is this vulnerability?

Scott McCarty, principal product manager for containers at Red Hat, says, “While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents.”

runC Flaw: Security Patch Updates and Mitigation

According to Red Hat, the vulnerability can be mitigated if SELinux in targeted enforcing mode is enabled, which is default on RedHat Enterprise Linux, CentOS, and Fedora.

The maintainers of runC have published a git commit to resolving the security flaw, but all the projects built atop runC need to incorporate the patches in their products.

Debian and Ubuntu have also acknowledged that their Linux distributions are vulnerable to the reported vulnerability. The issue also affects container systems using LXC, a Linux containerization tool that predates Docker, and Apache Mesos container code.

Major vendors and cloud service providers have already been pushing out security patches to address the issue, including Google, Amazon, Docker, and Kubernetes.

Rancher, the creator of the open-source Kubernetes management software, has also published a patching script for legacy versions of Docker.

If you are running any kind of containers, consider yourself vulnerable and upgrade to an image with a fixed version of runC as soon as it is available to prevent cyber attacks.

8.6 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.003 Low

EPSS

Percentile

64.0%

Related for THN:B0FC327500C590C565FC4F46D8DCDD34