Today CVE-2019-5736 was announced which impacts all known versions of runc. Runc is the underlying component that creates containers in Docker, Kubernetes, and many other container systems. The full details of this vulnerability are available in the Openwall oss-security mailing. Due to the severity of this issue, exploits will not be published for another week, giving people time to patch. The impact of this vulnerability is severe and the approach used to exploit this issue is fairly trivial. I have a exploit of this vulnerability that is much easier than the originally reported issue and I can share next week after the original exploit is published.
This vulnerability will allow a container running as root to execute arbitrary code on the host as a privileged user. In practice, this means a container can compromise the Docker host. All that is required is to be able to run a container where the container user is root. The attacker can use an infected Docker image or run exec commands against a non-infected running container. Known mitigating actions for this issue are:
- Running with a read only host file system
- Running user namespaces
- Not running root in containers
- A properly configured AppArmor/SELinux policy (the current default policies are not sufficient)
All Docker users are encouraged to upgrade to 18.09.2. If that is not immediately possible, Rancher Labs has back-ported the fix to all versions of Docker back to 1.12.6. The patches are available here with the instructions to install.
Prior to Rancher, Darren was Sr. Principal Engineer at Citrix where he worked on CloudStack, OpenStack, Docker and building the next generation of infrastructure orchestration technology. Prior to joining Citrix, Darren worked at GoDaddy, where he designed and lead a team that implemented both public and private IaaS clouds. Darren has been writing software since he got his first 286 when he was 10, and is happiest when he’s stuffed in a closet banging away in anything but Java. Darren specializes in building systems to reliably control completely unreliable systems. Darren has a B.S. from California State University, Northridge.