Runc Docker Vulnerability
Today, two security researchers disclosed a vulnerability in the Runc utility used within containerization technology such as Docker. The vulnerability allows malicious code within a container to execute code on the host system as root. At the time of this writing there is no patch.
On February 11, 2019, security researchers Adam Iwaniuk and Borys Popławski responsibly disclosed a vulnerability in Runc, the standard utility for spawning and running containers in Docker, containerd, Podman, and CRI-O, that allows malicious containers to break out of the container and gain root-level access on the host machine. This has been assigned CVE-2019-5736.
Containers are micro virtual machines that run on Linux and are quickly becoming a popular technology, especially in DevOps environments, because they make it very easy to provision and deprovision computer capacity to meet demand.
At the time of release, Shodan scans indicated about 4,000 Docker daemons are exposed to this vulnerability. Red Hat, SuSE, Amazon, and other major Linux vendors and cloud providers have released updates to patch the vulnerability.
Runc maintainer and SuSE employee Aleksa Sarai published exploit code on February 19, 2019, a week after releasing the patch.
It is possible to run Docker under other operating systems, including Windows and IBM z/OS. Other operating systems provide the equivalent functionality through other means so they are not exposed to this specific vulnerability.
To use this vulnerability, an attacker deploys a malicious container on a machine that in turn overwrites the runc binary running on the host, leading to a sandbox escape with root-level privileges on the host machine. This can allow the attacker to run commands as root on the host machine, any containers he or she previously had access to, and spawn new containers. Since many administrators deploy containers by copying another container, it is easy for legitimate system administrators to spread the attack inadvertently.
The vulnerability is not blocked by default protections such as AppArmor policies or SELinux policies on Fedora due to how the container processes run, but it should be noted that the vulnerability is blocked by the correct use of user namespaces, where the host root is not mapped into a container’s user namespace.
Since the attacker gains root access on the host machine, the potential impact is nearly limitless; including but not limited to loss or destruction of data, system outages, and malicious code running on your systems.
What You Should Do
There are several mitigations besides patching to help prevent this attack.
- Scan your Linux hosts, including cloud-based systems, for CVE-2019-5736
- Deploy the update for CVE-2019-5736 before February 18, 201
- Don’t run containers as root
- Don’t map root into the container’s user namespace
- Deploy SELinux (general guidance)
Performing the last three mitigations should be considered a best practice, even after the patch is deployed, to mitigate against similar attacks in the future. Setting up Docker containers running as root or with root in their username space are both common practice, but security researchers recommend against both.
Deepwatch will provide additional information to protect its customers and others if and when it becomes available.