Trending CVEs for the Week of February 11th, 2019

CVE-2019-5736 – malicious container “break out” vulnerability in runc

If you follow cybersecurity news at all, you have likely already seen mentions of a major security flaw related to runc that allows attackers to gain root access to host systems running popular containerization technologies such as Docker and Kubernetes. In fact, CVE-2019-5736 is so popular that it has had more weekly Twitter mentions than the last three trending CVEs we covered, combined. This comes as no surprise, considering that Docker and Kubernetes are widely cited as two of the most influential and widely adopted open-source projects of the last few years. They make it possible to package and ship programs and get more apps running on the same old servers.

If you don’t have a technical background, here’s a good overview of similarities, differences and uses of the two. Shortly, Docker is what enables us to run, create and manage containers on a single operating system. Containerization is an approach of running applications on an operating system so that the application is isolated from the rest of the system. Once Docker is installed on many hosts (different operating systems), Kubernetes can then allow automated container provisioning, networking, load-balancing, security and scaling across all these nodes from a single command line or dashboard. Deep down, at the heart of these systems, is runc – a universal command-line interface tool developed by Docker. It is used by Docker, Kubernetes and other containerization systems to spawn and run containers.

The vulnerability in question allows a container to overwrite the host runc binary and gain root level code execution access with minimal user interaction. This occurs because of file-descriptor mishandling, related to /proc/self/exe. It can be exploited by leveraging the ability to execute a command as root in either of these contexts:

  • Creating a new container based on a malicious attacker-controlled image
  • Attaching (docker exec) into an existing container which the attacker had previous write access to.

The CVE was published in NVD on 02/11/2019 and is currently awaiting analysis.

Affected Products

The vulnerability affects a wide range of products, including:

  • Redhat Enterprise Linux Server 7
  • Redhat Enterprise Linux for Power, little endian 7
  • Redhat Enterprise Linux for Power 9 7
  • Redhat Enterprise Linux for IBM z Systems 7
  • Redhat Enterprise Linux for IBM System z (Structure A) 7
  • Redhat Enterprise Linux for ARM 64 7
  • Redhat Enterprise Linux 7
  • Opencontainers runc (versions through 1.0-rc6)
  • Kubernetes (versions up to 1.12.5)
  • Docker versions before 18.9.2
  • Amazon Web Services AWS IoT GreenGrass 1.6.1 and 1.7.1
  • Amazon Web Services AWS Fargate Platform 1.0 – 1.3
  • Amazon Web Services AWS Cloud9 0
  • Amazon Web Services Amazon Linux AMI 2018.03
  • Amazon Web Services Amazon Linux 2

For a more detailed list, please refer to SecurityFocus.

Exploitation and Risk

Container breakout vulnerabilities have been described as rare, worst-case scenarios, and this particular one has been referred to as a doomsday security hole.

According to Scott McCarty, principal product manager Red Hat, due to the nature of containers, exploiting this vulnerability could have a cascading effect that could prove to be a difficult scenario for any IT organization:

Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.

Aleksa Sarai, one of the maintainers of runc and a senior software engineer with SUSE Linux GmbH, has released a patch and generic exploit code and noted that more specific exploit code will be released on February 18th, after coordinated disclosure.

Fixes

Patches are being distributed by all major operating system vendors and cloud providers are advising updates. Emergency updates have been issued by Docker, Amazon, Google, and RedHat, among others:

  • Docker has issued an updated version (18.9.2) that addresses the vulnerability.
  • AWS advises that while many customers won’t need to take any action, those using Docker in Amazon Linux and those using Elastic Container Services (ECS) need to launch new instances from the latest AMI version. Updated versions of Amazon Elastic Container Service for Kubernetes (EKS), AWS Fargate and AWS IoT Greengrass services are available and upgrades are recommended.
  • Google notes that Google Kubernetes Engine (GKE) Ubuntu nodes are affected by these vulnerabilities, and recommends upgrading to the latest patch version as soon as possible.
  • Red Hat issued an advisory to update affected products, but based on the above-mentioned blogpost by McCarty, the flaw likely won’t affect many of its customers, because SELinux running in targeted enforcing mode would prevent the flaw from being exploited.
  • Our Sr. software engineer, Zach King, explains how to fix it in this blog post.

References

AWS Advisory

Google Advisory

RedHat Vulnerability Response

RedHat Blog Post

Patch and PoC Exploit

Docker and Kubernetes Background Information

TripWire News Post

ZDNet News Post

Share your thoughts in our community!

Click Here