Software

OSes

Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is

'Doomsday scenario' unless devops crowd walks this way


Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for containers at Red Hat, in a blog post.

The flaw, designated CVE-2019-5736, was found by open source security researchers Adam Iwaniuk and Borys Popławski.

"The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host," said Sarai in a post to the OpenWall mailing list.

The attack involves replacing the target binary in the container with one that refers back to the runc binary. This can be done by attaching a privileged container (connecting it to the terminal) or starting it with a malicious image and making it execute itself.

But the Linux kernel normally would not allow the runc binary on the host to be overwritten while runc is executing.

"To overcome this, the attacker can instead open a file descriptor to /proc/self/exe using the O_PATH flag and then proceed to reopen the binary as O_WRONLY through /proc/self/fd/<nr> and try to write to it in a busy loop from a separate process," Sarai explains. "Ultimately it will succeed when the runc binary exits."

The attacker can then run any command as root within a container and can take over the container host.

Docker invites elderly Windows Server apps to spend remaining days in supervised care

READ MORE

Sarai, one of the maintainers of runc, has pushed a git commit to fix the flaw, but all the projects built atop runc need to incorporate the changes. He also found that a variation of the flaw affects LXC, a Linux containerization tool that predates Docker, and that too has been patched.

Docker has just released v18.09.2 which fixes the flaw. Red Hat says default configurations of Red Hat Enterprise Linux as well as Red Hat OpenShift are protected but has mitigation advice for those who need to update. Rancher, maker of open source Kubernetes management software, has published a patching script for legacy versions of Docker.

Linux distributions Debian and Ubuntu are working on fixes. AWS and Google Cloud have posted security notices advising customers to update containers on a variety of affected services.

McCarty says this isn't the first major container runtime flaw and it won't be the last. "Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well," he said. ®

Send us news
20 Comments

Over 170K users caught up in poisoned Python package ruse

Supply chain attack targeted GitHub community of Top.gg Discord server

In the rush to build AI apps, please, please don't leave security behind

Supply-chain attacks are definitely possible and could lead to data theft, system hijacking, and more

Linux kernel 4.14 gets a life extension, thanks to OpenELA

Could this be the first green shoot of enterprise vendors paying for long-term maintenance?

Microsoft Copilot for Security prepares for April liftoff

Automated AI helper intended to make security more manageable

First release candidate of Linux kernel 6.9 looks 'fairly normal,' says Torvalds

Improved workqueues mean the end of tasklets is looming at long last

US critical infrastructure cyberattack reporting rules inch closer to reality

After all, it's only about keeping the essentials on – no rush

FreeBSD Foundation hands out Beacon gongs for safer software

Multiple CHERI-related projects win money for important research that prizes safety over speed

Good news: HMRC offers a Linux version of Basic PAYE Tools. Bad news: It broke

Python 2 has been dead for four years

Fresh version of Windows user-friendly Zorin OS arrives to tempt the Linux-wary

Adding extra shine to Ubuntu Jammy… with the lightweight edition to follow

TrueNAS CORE 13 is the end of the FreeBSD version

Debian-based TrueNAS SCALE is the future primary focus

Infosec teams must be allowed to fail, argues Gartner

But failing to recover from incidents is unforgivable because 'adrenalin does not scale'

Row breaks out over true severity of two DNSSEC flaws

Some of us would be happy being rated 7.5 out of 10, just sayin'