The vulnerability, identified as CVE-2019-5736, was discovered by open source security researchers Adam Iwaniuk and Borys Popławski and publicly disclosed by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday.
The flaw resides in runC—a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel.
Originally created by Docker, runC is the default container run-time for Docker, Kubernetes, ContainerD, CRI-O, and other container-dependent programs, and is widely being used by major cloud hosting and server providers.
runC Container Escape Vulnerability [CVE-2019-5736]
Though researchers have not yet released full technical details of the flaw to give people time to patch, the Red Hat advisory says the "flaw was found in the way runC handled system file descriptors when running containers."
Thus, a specially-crafted malicious container or an attacker having root access to a container could exploit this flaw (with minimal user interaction) to gain administrative privileges on the host machine running the container, eventually compromising the hundreds-to-thousands of other containers running on it.
For root access to the container, the attacker has to either:
- create a new container using an attacker-controlled image, or
- attach (docker exec) into an existing container which the attacker had previous write access to.
How bad is this vulnerability?
Scott McCarty, principal product manager for containers at Red Hat, says, "While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents."
runC Flaw: Security Patch Updates and Mitigation
According to Red Hat, the vulnerability can be mitigated if SELinux in targeted enforcing mode is enabled, which is default on RedHat Enterprise Linux, CentOS, and Fedora.
The maintainers of runC have published a git commit to resolving the security flaw, but all the projects built atop runC need to incorporate the patches in their products.
Debian and Ubuntu have also acknowledged that their Linux distributions are vulnerable to the reported vulnerability. The issue also affects container systems using LXC, a Linux containerization tool that predates Docker, and Apache Mesos container code.
Major vendors and cloud service providers have already been pushing out security patches to address the issue, including Google, Amazon, Docker, and Kubernetes.
Rancher, the creator of the open-source Kubernetes management software, has also published a patching script for legacy versions of Docker.
If you are running any kind of containers, consider yourself vulnerable and upgrade to an image with a fixed version of runC as soon as it is available to prevent cyber attacks.