RunC Vulnerability Gives Attackers Root Access on Docker, Kubernetes Hosts

Container Runtime Escape Flaw Gives Attackers Root Access on Hosts

A container breakout security flaw found in the runc container runtime allows malicious containers (with minimal user interaction) to overwrite the host runc binary and gain root-level code execution on the host machine.

runc is an open source command line utility designed to spawn and run containers and, at the moment, it is used as the default runtime for containers with Docker, containerd, Podman, and CRI-O.

According to Aleksa Sarai, Senior Software Engineer (Containers) SUSE Linux GmbH, one of the runc maintainers:

The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts:

  * Creating a new container using an attacker-controlled image.
  * Attaching (docker exec) into an existing container which the attacker had previous write access to.

The vulnerability found by security researchers Adam Iwaniuk and Borys Popławski is now tracked as CVE-2019-5736 and it is automatically blocked on systems where user namespaces are used correctly (containers not running as root are unaffected).

However, it impacts machines where “the host root is mapped into the container’s user namespace” since the default AppArmor policy and Fedora’s default SELinux policy do not block CVE-2019-5736 from triggering.

It’s important to mention that in the case of Fedora boxes, the moby-engine is the only one affected by this container breakout flaw, while docker and podman are not impacted because they are running all container processes as container_t.

According to a scan shared by the CEO of Shodan John Matherly on YCombinator, approximately 4,000 Docker daemons are exposed:

Exposed Docker daemons

Sarai published a patch designed to fix the runc flaw which triggers a container escape and allows attackers to access the host filesystem upon execution of a malicious container.

The runc maintainer also stated that the “exploit code will be published *publicly* 7 days after the CRD (which is 2019-02-18). If you have a container runtime, please verify that you are not vulnerable to this issue beforehand.”

At this point, Amazon, Google and Docker have updated their software, and all users are advised to update to the latest releases which are patched against CVE-2019-5736.

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Most Popular

To Top