The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

Vendors Rush to Fix Container Code Execution Bug

by Chris Brook on Thursday February 14, 2019

Contact Us
Free Demo
Chat

A nasty vulnerability in runc, the backbone behind container systems like Docker and Kubernetes, was disclosed on Monday.

Researchers are sounding the alarm this week around a vulnerability in a universal container runtime critical to container platforms like Docker, Kubernetes, and ContainerD. 

The vulnerability, an escape vulnerability, affects runc, a command line interface tool for running containers as laid out by the Open Container Initiative. It's important to note the vulnerability isn't in those aforementioned tools but runc, which sits on top of those tools.

Aleksa Sarai, a senior software engineer at SUSE and one of runc's maintainers, warned of the issue on Monday and pointed users to patches.

If exploited, the bug (CVE-2019-5736) could let a program run with root privileges inside a guest container make changes with root privilege outside the container. In the words of Sarai, a malicious container could "overwrite the host runc binary and thus gain root-level code execution on the host.

“The level of user interaction,” Sarai went on, “is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts:
• Creating a new container using an attacker-controlled image.
• Attaching (docker exec) into an existing container which the attacker had previous write access to.”

Sarai credited researchers Adam Iwaniuk and Borys Popławski with discovering the vulnerability.

As the Kubernetes team outlined on Monday, the vulnerability could allow unlimited access to the server as well as any containers on that server,"

“The most common source of risk is attacker-controller container images, such as unvetted images from public repositories,” Kubernetes added in their blog post.

Vendors, like Kubernetes and Docker, and cloud providers, like Amazon, outlined fixes to address the vulnerability on Monday.

Kubernetes, for example, urged users to either update their version of runc or mitigate the bug directly by ensuring containers are running as a non-0 user, as the exploit requires UID 0, or running a process as root, within the container.

Red Hat, which said the issue affects both the docker and runc packages available on Red Hat Enterprise Linux 7, urged customers to apply updates from its Red Hat Enterprise Linux 7 Extras channel and ensure they have SELinux enabled, something that comes default on most systems.

Amazon said Monday that there are updated versions of Docker for Amazon Linux 2 and Linux AMI 2018.03 repositories. Updated versions of AWS services like RoboMaker, SageMaker, Deep Learning AMI, Cloud9, Elastic Beanstalk, and IOT Greengrass are also available

Docker, which initially developed runc, pushed an update to address the vulnerability on Monday, as did Google, whose Google Kubernetes Engine Ubuntu nodes were affected by the vulnerabilities until updates were pushed.

This is something that users will obviously want to patch ASAP but that's compounded even more by the fact that exploit code is slated to be released for the vulnerability next Monday, February 18. Doing this allows vendors to carry out penetration testing against patches but also shortens the patching window for organizations.

"If you have a container runtime, please verify that you are not vulnerable to this issue beforehand," Sarai warned Monday.

Tags: Vulnerabilities

Recommended Resources


  • Why EDR is important to your firm's security
  • Analysis of EDR vendor landscape
  • Breakdown of vendor capabilities
  • The Five Stages of Threat Hunting
  • A Proactive Approach to Threat Hunting
  • Expert Tips

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.