RunC Flaw Lets Attackers Escape Linux Containers to Gain Root on Hosts

A serious security vulnerability has been discovered in the core

runC

container code that affects several open-source container management systems and could potentially allow attackers to escape container and obtain unauthorized, root-level access to the host operating system.

The vulnerability was discovered by open source security researchers Adam Iwaniuk and Borys Popławski and publicly

disclosed

by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday.

The vulnerability, identified as

CVE-2019-5736

, resides in runC—a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel.

Originally created by Docker, runC is the default container runtime for Docker, Kubernetes, ContainerD, CRI-O, and other container-dependent programs, and is widely being used by major cloud hosting and server providers.

runC Container Escape Vulnerability [CVE-2019-5736]

Though researchers have not yet released full technical details of the flaw to give people time to patch, the Red Hat

advisory

says the "flaw was found in the way runc handled system file descriptors when running containers."

Thus, a specially-crafted malicious container or an attacker having root access to a container could exploit this flaw (with minimal user interaction) to gain administrative privileges on the host machine running the container, eventually compromising the hundreds-to-thousands of other containers running on it.

For root access to the container, the attacker has to either:

• create a new container using an attacker-controlled image, or
• attach (docker exec) into an existing container which the attacker had previous write access to.

"A malicious container [then] could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system," the advisory states.

How bad is this vulnerability?

Scott McCarty, principal product manager for containers at Red Hat,

says

, "While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents."

runC Flaw: Security Patch Updates and Mitigation

According to Red Hat, the vulnerability can be mitigated if SELinux in targeted enforcing mode is enabled, which is default on RedHat Enterprise Linux, CentOS, and Fedora.

The maintainers of runC have published a

git commit

to resolving the security flaw, but all the projects built atop runc need to incorporate the patches in their products.

Debian

and

Ubuntu

have also acknowledged that their Linux distributions are vulnerable to the reported vulnerability. The issue also affects container systems using

LXC

, a Linux containerization tool that predates Docker, and

Apache Mesos

container code.

Major vendors and cloud service providers have already been pushing out security patches to address the issue, including

Google

,

Amazon

,

Docker

, and

Kubernetes

.

Rancher, the creator of the open-source Kubernetes management software, has also published a

patching script

for legacy versions of Docker.

If you are running any kind of containers, consider yourself vulnerable and upgrade to an image with a fixed version of runc as soon as it is available to prevent cyber attacks.

from The Hacker News http://bit.ly/2WWbPKh