A vulnerability discovered in the runC container management tool has exposed multiple privileged container systems to a potential exploit through which attackers could allow malware to escape a container and compromise an entire host system.
Designated CVE-2019-5736, the flaw allows attackers to use a malicious container to overwrite the host runC binary during the execution a command as root, thereby granting themselves root access to the host. This works under two scenarios: when using a new container with an attacker-controlled image or when attaching into an existing container to which the attackers previously had write access.
Aleksa Sarai, a long-time contributor to the Open Container Initiative (OCI), which develops runC, acknowledged the flaw in a Tuesday post on Openwall.com, noting that OCI has already issued a patch, and will release exploit code on Feb. 18 to help container vendors ensure that these fixes will resolve the issue.
Affected vendors include solutions specializing in containerization technology such as CRI-O, containerD, Docker, Kubernetes (indirectly impacted) and Podman, as well as companies like Red Hat and Amazon Web Services, which offer containerization capabilities via an array of products and services, including their own Linux distributions.
These vendors have issued security advisories recommending customers download the latest version of their product and launch new container instances in order to protect themselves against a potential future exploit. The Linux distribution Ubuntu and the Unix-like operating system Debian are also working on patches, since containers generally run on Linux server environments.
"Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it," said Scott McCarty, principal product manager of containers at Red Hat, in a company blog post. "A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents."
Discovery of the vulnerability is credited to security researchers Adam Iwaniuk and Borys Poplawski.