Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is

'Doomsday scenario' unless devops crowd walks this way

By Thomas Claburn in San Francisco


Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for containers at Red Hat, in a blog post.

The flaw, designated CVE-2019-5736, was found by open source security researchers Adam Iwaniuk and Borys Popławski.

"The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host," said Sarai in a post to the OpenWall mailing list.

The attack involves replacing the target binary in the container with one that refers back to the runc binary. This can be done by attaching a privileged container (connecting it to the terminal) or starting it with a malicious image and making it execute itself.

But the Linux kernel normally would not allow the runc binary on the host to be overwritten while runc is executing.

"To overcome this, the attacker can instead open a file descriptor to /proc/self/exe using the O_PATH flag and then proceed to reopen the binary as O_WRONLY through /proc/self/fd/<nr> and try to write to it in a busy loop from a separate process," Sarai explains. "Ultimately it will succeed when the runc binary exits."

The attacker can then run any command as root within a container and can take over the container host.

Docker invites elderly Windows Server apps to spend remaining days in supervised care


Sarai, one of the maintainers of runc, has pushed a git commit to fix the flaw, but all the projects built atop runc need to incorporate the changes. He also found that a variation of the flaw affects LXC, a Linux containerization tool that predates Docker, and that too has been patched.

Docker has just released v18.09.2 which fixes the flaw. Red Hat says default configurations of Red Hat Enterprise Linux as well as Red Hat OpenShift are protected but has mitigation advice for those who need to update. Rancher, maker of open source Kubernetes management software, has published a patching script for legacy versions of Docker.

Linux distributions Debian and Ubuntu are working on fixes. AWS and Google Cloud have posted security notices advising customers to update containers on a variety of affected services.

McCarty says this isn't the first major container runtime flaw and it won't be the last. "Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well," he said. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

The Year Of Linux On The Desktop – at last! Windows Subsystem for Linux 2 brings the Linux kernel into Windows

Build Also: A new Windows Terminal is here and on GitHub

Microsoft's Teams goes to bat for the other team with preview on Linux

There is no escape from collaboration

2001: Linux is cancer, says Microsoft. 2019: Hey friends, ah, can we join the official linux-distros mailing list, plz?

Windows giant cheered on by Linux Foundation as it seeks membership of private security-focused message board

EA boots Linux gamers out of multiplayer Battlefield V, Penguinistas respond by demanding crippling boycott

We're not sure if Electronic Arts has even noticed

Linux in 2020: 27.8 million lines of code in the kernel, 1.3 million in systemd

Systemd? It's the proper technical solution, says kernel maintainer

New CentOS Linux distro sips updates from RHEL codebase like an ever-flowing Stream

Want a peek at what's coming in Red Hat? Step this way

Pro-Linux IP consortium Open Invention Network will 'pivot' to take on patent trolls

Not many actual software companies threaten Linux now

It's a no to ZFS in the Linux kernel from me, says Torvalds, points finger of blame at Oracle licensing

What's that coming over the hill? Is it a lawyer? It's Larry's lawyers

Google touts managed Linux, gets cosy with Dell in Chromebook Enterprise push

Security plus Linux application support – enough to tempt enterprises?

Still in preview, but look! You can now develop Azure Sphere apps in Linux – if you dare

19.11 brings penguin support and a Visual Studio Code extension


Integrating Threat Intelligence into Endpoint Security

While threat intelligence can transform an organization's security posture, it can also be complex and costly for organizations to adopt.

SANS Institute: Cloud Security Survey Results

Over 47 percent of surveyed organizations store sensitive business intelligence and IP in the cloud ... yet in 2018, a quarter of respondents realized security events due to poor configuration and insecure APIs.

Get an Office 365 Experience Your Users Will Love

Office 365 can transform your business, but only if your network is up to the task. Here’s what Microsoft recommends.

The Three Pillars of Komprise

Komprise Intelligent Data Management delivers analytic sdriven data management