Patch this run(DM)c Docker flaw or you be illin’… Tricky containers can root host packing containers. It’s like that – and that’s the way it is
Aleksa Sarai, a senior tool engineer at SUSE Linux GmbH, has disclosed a significant vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.
“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents,” stated Scott McCarty, foremost product supervisor for containers at Red Hat, in a weblog submit.
The flaw, designated CVE-2019-5736, was once discovered via open supply safety researchers Adam Iwaniuk and Borys Popławski.
“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,” stated Sarai in a submit to the OpenWall mailing listing.
The assault comes to changing the goal binary in the container with one that refers again to the runc binary. This can be accomplished via attaching a privileged container (connecting it to the terminal) or beginning it with a malicious symbol and making it execute itself.
But the Linux kernel typically would now not permit the runc binary on the host to be overwritten whilst runc is executing.
“To triumph over this, the attacker can as a substitute open a document descriptor to
/proc/self/exe the use of the
O_PATH flag and then continue to reopen the binary as
/proc/self/fd/<nr> and attempt to write to it in a hectic loop from a separate procedure,” Sarai explains. “Ultimately it will succeed when the runc binary exits.”
The attacker can then run any command as root inside a container and can take over the container host.
Sarai, considered one of the maintainers of runc, has driven a git devote to mend the flaw, however all the tasks constructed atop runc wish to incorporate the adjustments. He additionally discovered that a variation of the flaw impacts LXC, a Linux containerization software that predates Docker, and that too has been patched.
Docker invitations aged Windows Server apps to spend closing days in supervised care
Docker has simply launched v18.09.2 which fixes the flaw. Red Hat says default configurations of Red Hat Enterprise Linux in addition to Red Hat OpenShift are safe however has mitigation recommendation for individuals who wish to replace. Rancher, maker of open supply Kubernetes control tool, has revealed a patching script for legacy variations of Docker.
McCarty says this is not the first main container runtime flaw and it may not be the final. “Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well,” he stated. ®