Open Containers Runc Local Command Execution Vulnerability (CVE-2019-5736)

February 12, 2019

Summary

Open Containers runc is prone to a local command-execution vulnerability. Runc is a command line utility designed to spawn container systems. It is the container runtime that underpins many open source container management systems including Docker, Kubernetes, containerd, Podman, and CRI-O. [1] [3]

Impact

  • A local attacker can exploit this issue to execute arbitrary commands with root privileges.
  • Allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. [2]

Vulnerable

  • Runc through version 1.0-rc6.
  • Many popular container management systems and providers are affected including Docker, Kubernetes, containerd, Podman, CRI-O, Amazon AWS, and RedHat Linux.
  • For a list of products and versions affected, please see the links in the References section.

Recommendations

  • Update any vulnerable systems immediately. Exploit code for these vulnerabilities is set to be made public on Feb 18th, 2019.
  • Consult relevant vendor advisories for patch information (e.g. Docker, Kubernetes).

References

[1] https://www.securityfocus.com/bid/106976/info

[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736

[3] https://www.bleepingcomputer.com/news/security/runc-vulnerability-gives-...

[4] https://cloud.google.com/kubernetes-engine/docs/security-bulletins#febru...

[5] https://www.openwall.com/lists/oss-security/2019/02/11/2