February 12, 2019
Summary
Open Containers runc is prone to a local command-execution vulnerability. Runc is a command line utility designed to spawn container systems. It is the container runtime that underpins many open source container management systems including Docker, Kubernetes, containerd, Podman, and CRI-O. [1] [3]
Impact
- A local attacker can exploit this issue to execute arbitrary commands with root privileges.
- Allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe. [2]
Vulnerable
- Runc through version 1.0-rc6.
- Many popular container management systems and providers are affected including Docker, Kubernetes, containerd, Podman, CRI-O, Amazon AWS, and RedHat Linux.
- For a list of products and versions affected, please see the links in the References section.
Recommendations
- Update any vulnerable systems immediately. Exploit code for these vulnerabilities is set to be made public on Feb 18th, 2019.
- Consult relevant vendor advisories for patch information (e.g. Docker, Kubernetes).
References
[1] https://www.securityfocus.com/bid/106976/info
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5736
[3] https://www.bleepingcomputer.com/news/security/runc-vulnerability-gives-...
[4] https://cloud.google.com/kubernetes-engine/docs/security-bulletins#febru...
[5] https://www.openwall.com/lists/oss-security/2019/02/11/2