Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is

'Doomsday scenario' unless devops crowd walks this way

By Thomas Claburn in San Francisco


Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for containers at Red Hat, in a blog post.

The flaw, designated CVE-2019-5736, was found by open source security researchers Adam Iwaniuk and Borys Popławski.

"The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host," said Sarai in a post to the OpenWall mailing list.

The attack involves replacing the target binary in the container with one that refers back to the runc binary. This can be done by attaching a privileged container (connecting it to the terminal) or starting it with a malicious image and making it execute itself.

But the Linux kernel normally would not allow the runc binary on the host to be overwritten while runc is executing.

"To overcome this, the attacker can instead open a file descriptor to /proc/self/exe using the O_PATH flag and then proceed to reopen the binary as O_WRONLY through /proc/self/fd/<nr> and try to write to it in a busy loop from a separate process," Sarai explains. "Ultimately it will succeed when the runc binary exits."

The attacker can then run any command as root within a container and can take over the container host.

Docker invites elderly Windows Server apps to spend remaining days in supervised care


Sarai, one of the maintainers of runc, has pushed a git commit to fix the flaw, but all the projects built atop runc need to incorporate the changes. He also found that a variation of the flaw affects LXC, a Linux containerization tool that predates Docker, and that too has been patched.

Docker has just released v18.09.2 which fixes the flaw. Red Hat says default configurations of Red Hat Enterprise Linux as well as Red Hat OpenShift are protected but has mitigation advice for those who need to update. Rancher, maker of open source Kubernetes management software, has published a patching script for legacy versions of Docker.

Linux distributions Debian and Ubuntu are working on fixes. AWS and Google Cloud have posted security notices advising customers to update containers on a variety of affected services.

McCarty says this isn't the first major container runtime flaw and it won't be the last. "Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well," he said. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

The Year Of Linux On The Desktop – at last! Windows Subsystem for Linux 2 brings the Linux kernel into Windows

Build Also: A new Windows Terminal is here and on GitHub

2001: Linux is cancer, says Microsoft. 2019: Hey friends, ah, can we join the official linux-distros mailing list, plz?

Windows giant cheered on by Linux Foundation as it seeks membership of private security-focused message board

Linux Journal runs shutdown -h now for a second time: Mag editor fires parting shot at proprietary software

We are letting the tech giants win, says Kyle Rankin

Dev darling Docker embraces Windows Subsystem for Linux 2

Microsoft's risky strategy: Develop on Windows, deploy to Linux

More Linux than Windows: El Reg takes Docker Desktop for WSL 2 preview out for a spin

Hands On Some gripes at this stage, but the potential is there

Linux kernel-bypassing Quobyte plug-in goes with the TensorFlow for faster file access

Skip it, it's a Google thing

Unbreakable Enterprise Kernel R5, update 2 plops from Oracle's Linux-shaped orifice

Bruce Willis thankfully not involved

Delphi RAD tool (remember that?) gets support for Linux desktop apps – again

Hands On Seventeen years after Kylix, Embarcardero adds a complete Linux toolchain to Delphi

Four more years! Four more years! Svelte Linux desktop Xfce gets first big update since 2015

Hop from 4.12 to 4.14 fixes 'a boatload of bugs'. Hooray!

Hitting Microsoft's metal: SUSE flings Enterprise Linux at SAP HANA on Azure

SUSECON '19 Fancy a slice of SLES for SAP?