A security vulnerability in runc could expose tons of Docker and Kubernetes managed containers

• Researchers discovered a vulnerability which allows a malicious container to overwrite the host runc binary and gain root-level code execution on the host system.
• Researchers noted that in order to perform an attack on the host system, an attacker has to place a malicious container within the system.

A security vulnerability (CVE-2019-5736) was uncovered in runc which could enable a malicious container to escape the confines of its isolated process segment. runc is the basic container runtime for Docker, Kubernetes, and other container-dependent programs, which is widely used. It's an open-source command-line tool developed by Docker for running containers.

Security researchers Adam Iwaniuk and Borys Popławski discovered the vulnerability which allows a malicious container to overwrite the host runc binary and gain root-level code execution on the host system.

“The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root,” said Aleksa Sarai, a SUSE container senior software engineer and a runC maintainer.

To perform an attack on the host system, an attacker has to place a malicious container within the system. Researchers noted that this is not that difficult as sysadmins often use the first container that comes to hand without checking its software.

Hundreds-of-thousands of containers vulnerable

Scott McCarty, Red Hat technical product manager for containers, warned about the security flaw (CVE-2019-5736) in runc and Docker.

“Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” McCarty said.

“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that's exactly what this vulnerability represents,” McCarty added.

Other affected containers

Sarai also stated that the vulnerability could also attack container systems using LXC and Apache Mesos container code. The runC maintainer further requested users running any kind of container to patch immediately.

Most cloud container systems are vulnerable to this attack. Multiple services at Amazon Web Services (AWS) are impacted by this vulnerability. The other affected services include Amazon Linux, Amazon Elastic Container Service (ECS), Elastic Container Service for Kubernetes (EKS), AWS Fargate, IoT Greengrass, AWS Batch, Elastic Beanstalk, Cloud9, Sagemaker, RoboMaker, and the Deep Learning AMI.

Google also confirmed that Google Kubernetes Engine (GKE) Ubuntu nodes are impacted by the vulnerability. Other GKE nodes that are not running on Ubuntu are not impacted.

Patch available

A patch has been made publicly available in the upstream runc project and multiple vendors and cloud providers are currently pushing the updates where necessary.

Security updates are also being released by multiple vendors. Red Hat has requested its customers to update to help minimize risk.

“This vulnerability is mitigated by the use of SELinux in targeted enforcing mode, which completely prevents this vulnerability from being exploited. The default for SELinux on Red Hat Enterprise Linux 7 is targeted enforcing mode,” Red Hat said in its report.