The vulnerability, identified as CVE-2019-5736, was discovered by open source security researchers Adam Iwaniuk and Borys Popławski and publicly disclosed by Aleksa Sarai, a senior software engineer and runC maintainer at SUSE Linux GmbH on Monday.
The flaw resides in runC—a lightweight low-level command-line tool for spawning and running containers, an operating-system-level virtualization method for running multiple isolated systems on a host using a single kernel.
Though researchers have not yet released full technical details of the flaw to give people time to patch, the Red Hat advisory says the “flaw was found in the way runC handled system file descriptors when running containers.”
Thus, a specially-crafted malicious container or an attacker having root access to a container could exploit this flaw (with minimal user interaction) to gain administrative privileges on the host machine running the container, eventually compromising the hundreds-to-thousands of other containers running on it.
For root access to the container, the attacker has to either:
- create a new container using an attacker-controlled image, or
- attach (docker exec) into an existing container which the attacker had previous write access to.
“A malicious container [then] could use this flaw to overwrite contents of the runC binary and consequently run arbitrary commands on the container host system,” the advisory states.
The vulnerability can be mitigated if SELinux in targeted enforcing mode is enabled, which is default on RedHat Enterprise Linux, CentOS, and Fedora.
The maintainers of runC have published a git commit to resolving the security flaw, but all the projects built atop runC need to incorporate the patches in their products.
The creator of the open-source Kubernetes management software, has also published a patching script for legacy versions of Docker.
Consider yourself vulnerable and upgrade to an image with a fixed version of runC as soon as it is available to prevent cyber attacks.