Docker swings door shut on privilege escalation bug
Container escape vuln patched
Docker has patched what it calls a “minor” container escape.
CVE-2016-9962 was a bug in
runc – an insecure file descriptor opening that cleared the way to local privilege escalation. In other words, the contents of one container could be exposed to another, running under the same Docker instance.
From its Full Disclosure post:
“RunC allowed additional container processes via `runc exec` to be ptraced by the pid 1 of the container. This allows the main processes of the container, if running as root, to gain access to file-descriptors of these new processes during the initialization, and can lead to container escapes or modification of runC state before the process is fully placed inside the container.”
From the patch description at GitHub, it seems that the unpatched version of
runc failed to make init processes non-dumpable before they're associated with the
pid (process identifier).
Docker's Tõnis Tiigi and SUSE's Aleksa Sarai found the bug. ®