Trending CVEs for the Week of February 11th, 2019
- Feb 13, 2019
- Shawn Evans
If you follow cybersecurity news at all, you have likely already seen mentions of a major security flaw related to runc that allows attackers to gain root access to host systems running popular containerization technologies such as Docker and Kubernetes. In fact, CVE-2019-5736 is so popular that it has had more weekly Twitter mentions than the last three trending CVEs we covered, combined. This comes as no surprise, considering that Docker and Kubernetes are widely cited as two of the most influential and widely adopted open-source projects of the last few years. They make it possible to package and ship programs and get more apps running on the same old servers.
If you don’t have a technical background, here’s a good overview of similarities, differences and uses of the two. Shortly, Docker is what enables us to run, create and manage containers on a single operating system. Containerization is an approach of running applications on an operating system so that the application is isolated from the rest of the system. Once Docker is installed on many hosts (different operating systems), Kubernetes can then allow automated container provisioning, networking, load-balancing, security and scaling across all these nodes from a single command line or dashboard. Deep down, at the heart of these systems, is runc – a universal command-line interface tool developed by Docker. It is used by Docker, Kubernetes and other containerization systems to spawn and run containers.
The vulnerability in question allows a container to overwrite the host runc binary and gain root level code execution access with minimal user interaction. This occurs because of file-descriptor mishandling, related to /proc/self/exe. It can be exploited by leveraging the ability to execute a command as root in either of these contexts:
The CVE was published in NVD on 02/11/2019 and is currently awaiting analysis.
The vulnerability affects a wide range of products, including:
For a more detailed list, please refer to SecurityFocus.
Container breakout vulnerabilities have been described as rare, worst-case scenarios, and this particular one has been referred to as a doomsday security hole.
According to Scott McCarty, principal product manager Red Hat, due to the nature of containers, exploiting this vulnerability could have a cascading effect that could prove to be a difficult scenario for any IT organization:
Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.
Aleksa Sarai, one of the maintainers of runc and a senior software engineer with SUSE Linux GmbH, has released a patch and generic exploit code and noted that more specific exploit code will be released on February 18th, after coordinated disclosure.
Patches are being distributed by all major operating system vendors and cloud providers are advising updates. Emergency updates have been issued by Docker, Amazon, Google, and RedHat, among others:
Docker and Kubernetes Background Information
Share your thoughts in our community!