Veracode Vulnerability DatabaseVERACODE:13337Malicious Container Execution
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
github.com/opencontainers/runc is susceptible to malicious container execution. It does not properly perform the file-descriptor handling which allows a malicious user to overwrite the host runc binary and subsequently executing containers such as (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec after gaining administrative access on the host.
References
lists.opensuse.org/opensuse-security-announce/2019-03/msg00044.html
lists.opensuse.org/opensuse-security-announce/2019-04/msg00074.html
lists.opensuse.org/opensuse-security-announce/2019-04/msg00091.html
lists.opensuse.org/opensuse-security-announce/2019-05/msg00060.html
lists.opensuse.org/opensuse-security-announce/2019-05/msg00073.html
lists.opensuse.org/opensuse-security-announce/2019-06/msg00011.html
lists.opensuse.org/opensuse-security-announce/2019-06/msg00015.html
lists.opensuse.org/opensuse-security-announce/2019-08/msg00084.html
lists.opensuse.org/opensuse-security-announce/2019-10/msg00007.html
lists.opensuse.org/opensuse-security-announce/2019-10/msg00029.html
packetstormsecurity.com/files/163339/Docker-Container-Escape.html
packetstormsecurity.com/files/165197/Docker-runc-Command-Execution-Proof-Of-Concept.html
www.openwall.com/lists/oss-security/2019/03/23/1
www.openwall.com/lists/oss-security/2019/06/28/2
www.openwall.com/lists/oss-security/2019/07/06/3
www.openwall.com/lists/oss-security/2019/07/06/4
www.openwall.com/lists/oss-security/2019/10/24/1
www.openwall.com/lists/oss-security/2019/10/29/3
www.securityfocus.com/bid/106976
access.redhat.com/errata/RHSA-2019:0303
access.redhat.com/errata/RHSA-2019:0304
access.redhat.com/errata/RHSA-2019:0401
access.redhat.com/errata/RHSA-2019:0408
access.redhat.com/errata/RHSA-2019:0975
access.redhat.com/security/cve/cve-2019-5736
access.redhat.com/security/vulnerabilities/runcescape
aws.amazon.com/security/security-bulletins/AWS-2019-002/
azure.microsoft.com/en-us/updates/cve-2019-5736-and-runc-vulnerability/
azure.microsoft.com/en-us/updates/iot-edge-fix-cve-2019-5736/
blog.dragonsector.pl/2019/02/cve-2019-5736-escape-from-docker-and.html
brauner.github.io/2019/02/12/privileged-containers.html
bugzilla.suse.com/show_bug.cgi?id=1121967
cloud.google.com/kubernetes-engine/docs/security-bulletins#february-11-2019-runc
docs.docker.com/engine/release-notes/
github.com/docker/docker-ce/releases/tag/v18.09.2
github.com/Frichetten/CVE-2019-5736-PoC
github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b
github.com/opencontainers/runc/commit/6635b4f0c6af3810594d2770f662f34ddc15b40d
github.com/opencontainers/runc/compare/dd023c457d84de44fa61e6ff0e0cf6a0edd1005e...6635b4f0c6af3810594d2770f662f34ddc15b40d
github.com/q3k/cve-2019-5736-poc
github.com/rancher/runc-cve
kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/
lists.apache.org/thread.html/24e54e3c6b2259e3903b6b8fe26896ac649c481ea99c5739468c92a3@%3Cdev.dlab.apache.org%3E
lists.apache.org/thread.html/a258757af84c5074dc7bf932622020fd4f60cef65a84290380386706@%3Cuser.mesos.apache.org%3E
lists.apache.org/thread.html/a585f64d14c31ab393b90c5f17e41d9765a1a17eec63856ce750af46@%3Cdev.dlab.apache.org%3E
lists.apache.org/thread.html/acacf018c12636e41667e94ac0a1e9244e887eef2debdd474640aa6e@%3Cdev.dlab.apache.org%3E
lists.apache.org/thread.html/b162dd624dc088cd634292f0402282a1d1d0ce853baeae8205bc033c@%3Cdev.mesos.apache.org%3E
lists.apache.org/thread.html/rc494623986d76593873ce5a40dd69cb3629400d10750d5d7e96b8587@%3Cdev.dlab.apache.org%3E
lists.apache.org/thread.html/rf1bbc0ea4a9f014cf94df9a12a6477d24a27f52741dbc87f2fd52ff2@%3Cissues.geode.apache.org%3E
lists.fedoraproject.org/archives/list/[email protected]/message/DLC52IOJN6IQJWJ6CUI6AIUP6GVVG2QP/
lists.fedoraproject.org/archives/list/[email protected]/message/EGZKRCKI3Y7FMADO2MENMT4TU24QGHFR/
lists.fedoraproject.org/archives/list/[email protected]/message/SWFJGIPYAAAMVSWWI3QWYXGA3ZBU2H4W/
lists.fedoraproject.org/archives/list/[email protected]/message/V6A4OSFM5GGOWW4ECELV5OHX2XRAUSPH/
security.gentoo.org/glsa/202003-21
security.netapp.com/advisory/ntap-20190307-0008/
softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03410944
support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03913en_us
support.mesosphere.com/s/article/Known-Issue-Container-Runtime-Vulnerability-MSPH-2019-0003
tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20190215-runc
usn.ubuntu.com/4048-1/
www.exploit-db.com/exploits/46359/
www.exploit-db.com/exploits/46369/
www.openwall.com/lists/oss-security/2019/02/11/2
www.synology.com/security/advisory/Synology_SA_19_06
www.twistlock.com/2019/02/11/how-to-mitigate-cve-2019-5736-in-runc-and-docker/
Related
8.6 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C