Today CVE-2019-5736 was announced which impacts all known versions of runc. Runc is the underlying component that creates containers in Docker, Kubernetes, and many other container systems. The full details of this vulnerability are available in the Openwall oss-security mailing. Due to the severity of this issue, exploits will not be published for another week, giving people time to patch. The impact of this vulnerability is severe and the approach used to exploit this issue is fairly trivial. I have a exploit of this vulnerability that is much easier than the originally reported issue and I can share next week after the original exploit is published.
This vulnerability will allow a container running as root to execute arbitrary code on the host as a privileged user. In practice, this means a container can compromise the Docker host. All that is required is to be able to run a container where the container user is root. The attacker can use an infected Docker image or run exec commands against a non-infected running container. Known mitigating actions for this issue are:
- Running with a read only host file system
- Running user namespaces
- Not running root in containers
- A properly configured AppArmor/SELinux policy (the current default policies are not sufficient)
All Docker users are encouraged to upgrade to 18.09.2. If that is not immediately possible, Rancher Labs has back-ported the fix to all versions of Docker back to 1.12.6. The patches are available here with the instructions to install.