Vendors Rush to Fix Container Code Execution Bug
A nasty vulnerability in runc, the backbone behind container systems like Docker and Kubernetes, was disclosed on Monday.
Researchers are sounding the alarm this week around a vulnerability in a universal container runtime critical to container platforms like Docker, Kubernetes, and ContainerD.
The vulnerability, an escape vulnerability, affects runc, a command line interface tool for running containers as laid out by the Open Container Initiative. It's important to note the vulnerability isn't in those aforementioned tools but runc, which sits on top of those tools.
Aleksa Sarai, a senior software engineer at SUSE and one of runc's maintainers, warned of the issue on Monday and pointed users to patches.
If exploited, the bug (CVE-2019-5736) could let a program run with root privileges inside a guest container make changes with root privilege outside the container. In the words of Sarai, a malicious container could "overwrite the host runc binary and thus gain root-level code execution on the host.
“The level of user interaction,” Sarai went on, “is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts:
• Creating a new container using an attacker-controlled image.
• Attaching (docker exec) into an existing container which the attacker had previous write access to.”
Sarai credited researchers Adam Iwaniuk and Borys Popławski with discovering the vulnerability.
CVE-2019-5736 runc breakout is pretty bad, quick POC demo of a malicious docker container https://t.co/zmE3ww6PvG
— William Bowling (@wcbowling) February 12, 2019
As the Kubernetes team outlined on Monday, the vulnerability could allow unlimited access to the server as well as any containers on that server,"
“The most common source of risk is attacker-controller container images, such as unvetted images from public repositories,” Kubernetes added in their blog post.
Vendors, like Kubernetes and Docker, and cloud providers, like Amazon, outlined fixes to address the vulnerability on Monday.
Kubernetes, for example, urged users to either update their version of runc or mitigate the bug directly by ensuring containers are running as a non-0 user, as the exploit requires UID 0, or running a process as root, within the container.
Red Hat, which said the issue affects both the docker and runc packages available on Red Hat Enterprise Linux 7, urged customers to apply updates from its Red Hat Enterprise Linux 7 Extras channel and ensure they have SELinux enabled, something that comes default on most systems.
Amazon said Monday that there are updated versions of Docker for Amazon Linux 2 and Linux AMI 2018.03 repositories. Updated versions of AWS services like RoboMaker, SageMaker, Deep Learning AMI, Cloud9, Elastic Beanstalk, and IOT Greengrass are also available
Docker, which initially developed runc, pushed an update to address the vulnerability on Monday, as did Google, whose Google Kubernetes Engine Ubuntu nodes were affected by the vulnerabilities until updates were pushed.
This is something that users will obviously want to patch ASAP but that's compounded even more by the fact that exploit code is slated to be released for the vulnerability next Monday, February 18. Doing this allows vendors to carry out penetration testing against patches but also shortens the patching window for organizations.
"If you have a container runtime, please verify that you are not vulnerable to this issue beforehand," Sarai warned Monday.