On February 11, 2019, security researchers Adam Iwaniuk and Borys Popławski responsibly disclosed a vulnerability in Runc, the standard utility for spawning and running containers in Docker, containerd, Podman, and CRI-O, that allows malicious containers to break out of the container and gain root-level access on the host machine. This has been assigned CVE-2019-5736.
Containers are micro virtual machines that run on Linux and are quickly becoming a popular technology, especially in DevOps environments, because they make it very easy to provision and deprovision computer capacity to meet demand.
Shodan scans indicate about 4,000 Docker daemons are currently exposed to this vulnerability. Red Hat, SuSE, Amazon, and other major Linux vendors and cloud providers have released updates to patch the vulnerability.
Runc maintainer and SuSE employee Aleksa Sarai will publish exploit code on February 18, 2019.
To use this vulnerability, an attacker deploys a malicious container on a machine that in turn overwrites the runc binary running on the host, leading to a sandbox escape with root-level privileges on the host machine. This can allow the attacker to run commands as root on the host machine, any containers he or she previously had access to, and spawn new containers. Since many administrators deploy containers by copying another container, it is easy for legitimate system administrators to spread the attack inadvertently.
The vulnerability is not blocked by default protections such as AppArmor policies or SELinux policies on Fedora due to how the container processes run, but it should be noted that the vulnerability is blocked by the correct use of user namespaces, where the host root is not mapped into a container’s user namespace.
Since the attacker gains root access on the host machine, the potential impact is nearly limitless, including but not limited to loss or destruction of data, system outages, and malicious code running on your systems.
What You Should Do
There are several mitigations besides patching to help prevent this attack.
- Scan your Linux hosts, including cloud-based systems, for CVE-2019-5736
- Deploy the update for CVE-2019-5736 before February 18, 2019
- Don’t run containers as root
- Don’t map root into the container’s user namespace
- Deploy SELinux
Performing the last three mitigations should be considered a best practice, even after the patch is deployed, to mitigate against similar attacks in the future. Setting up Docker containers running as root or with root in their username space are both common practice, but security researchers recommend against both.
GuidePoint’s vSOC will provide additional information as it is made public to help protect our clients.
Dave Farquhar, vSOC Identify Program Manager