Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is
'Doomsday scenario' unless devops crowd walks this way
Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.
"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for containers at Red Hat, in a blog post.
The flaw, designated CVE-2019-5736, was found by open source security researchers Adam Iwaniuk and Borys Popławski.
"The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host," said Sarai in a post to the OpenWall mailing list.
The attack involves replacing the target binary in the container with one that refers back to the runc binary. This can be done by attaching a privileged container (connecting it to the terminal) or starting it with a malicious image and making it execute itself.
But the Linux kernel normally would not allow the runc binary on the host to be overwritten while runc is executing.
"To overcome this, the attacker can instead open a file descriptor to
/proc/self/exe using the
O_PATH flag and then proceed to reopen the binary as
/proc/self/fd/<nr> and try to write to it in a busy loop from a separate process," Sarai explains. "Ultimately it will succeed when the runc binary exits."
The attacker can then run any command as root within a container and can take over the container host.
Docker invites elderly Windows Server apps to spend remaining days in supervised careREAD MORE
Sarai, one of the maintainers of runc, has pushed a git commit to fix the flaw, but all the projects built atop runc need to incorporate the changes. He also found that a variation of the flaw affects LXC, a Linux containerization tool that predates Docker, and that too has been patched.
Docker has just released v18.09.2 which fixes the flaw. Red Hat says default configurations of Red Hat Enterprise Linux as well as Red Hat OpenShift are protected but has mitigation advice for those who need to update. Rancher, maker of open source Kubernetes management software, has published a patching script for legacy versions of Docker.
McCarty says this isn't the first major container runtime flaw and it won't be the last. "Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well," he said. ®