Flaw in runC could allow malicious containers to infect host environment

News by Bradley Barth

A vulnerability discovered in the runC container management tool has exposed multiple privileged container systems to a potential exploit through which attackers could allow malware to escape a container and compromise an entire host system.

A vulnerability discovered in the runC container management tool has exposed multiple privileged container systems to a potential exploit through which attackers could allow malware to escape a container and compromise an entire host system.

Designated CVE-2019-5736, the flaw allows attackers to use a malicious container to overwrite the host runC binary during the execution a command as root, thereby granting themselves root access to the host. This works under two scenarios: when using a new container with an attacker-controlled image or when attaching into an existing container to which the attackers previously had write access.

Aleksa Sarai, a long-time contributor to the Open Container Initiative (OCI), which develops runC, acknowledged the flaw in a Tuesday post on Openwall.com, noting that OCI has already issued a patch, and will release exploit code on 18 February to help container vendors ensure that these fixes will resolve the issue.

Affected vendors include solutions specialising in containerisation technology such as CRI-O, containerD, Docker, Kubernetes (indirectly impacted) and Podman, as well as companies like Red Hat and Amazon Web Services, which offer containerisation capabilities via an array of products and services, including their own Linux distributions.

These vendors have issued security advisories recommending customers download the latest version of their product and launch new container instances in order to protect themselves against a potential future exploit. The Linux distribution Ubuntu and the Unix-like operating system Debian are also working on patches, since containers generally run on Linux server environments.

"Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it," said Scott McCarty, principal product manager of containers at Red Hat, in a company blog post. "A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organisation and that’s exactly what this vulnerability represents."

Discovery of the vulnerability is credited to security researchers Adam Iwaniuk and Borys Poplawski.

This article was originally published on SC Media US.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Webcasts and interviews 

Interview - Everyone has an Achilles heel: The new security paradigm

How can we defend networks now that the perimeter has all but disappeared?
Brought to you in partnership with ExtraHop