Container Escape Flaw Hits AWS, Google Cloud, Linux Distros
A vulnerability just lately addressed in runc may just permit malicious packing containers to realize root-level code execution at the host.
Introduced in 2015, runc is a light-weight, moveable container runtime that comes with the entire code utilized by Docker to have interaction with machine options associated with packing containers. The runtime is utilized in maximum packing containers available in the market, together with cri-o, containerd, Kubernetes, Podman, and others.
Tracked as CVE-2019-5736 and that includes a CVSSv3 rating of seven.2, the vulnerability may also be exploited with minimum consumer interplay, senior tool engineer at SUSE Linux and runc maintainer Aleksa Sarai says.
Discovered by means of Adam Iwaniuk and Borys Popławski, the vulnerability may just permit a malicious container to overwrite the host runc binary and execute code at the host.
The worm may also be induced when developing a brand new container the use of an attacker-controlled symbol, or when attaching to a working container (the use of docker exec) that the attacker up to now had write get entry to to.
“Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” Scott McCarty, Red Hat predominant product supervisor for packing containers, says.
The use of SELinux in centered imposing mode prevents this vulnerability from being exploited. However, the default AppArmor coverage and the default SELinux coverage on Fedora (most effective the moby-engine package deal) fail to forestall the worm, Sarai says.
Only privileged packing containers (root privilege at the host is needed) can exploit the flaw (unprivileged packing containers with a non-identity ID mapping don’t have permission to jot down to the host binary).
The vulnerability affects runc releases via 1.Zero-rc6, as utilized in Docker prior to 18.09.2 and different merchandise. The vulnerability happens as a result of file-descriptor mishandling, associated with /proc/self/exe.
A GitHub repository used to be created to offer a backport of patches for older variations of runc that had been packaged with Docker.
Exploit code for the vulnerability is anticipated to be printed inside every week. A Shodan seek presentations that there are just about four,000 uncovered Docker daemons on the web.