Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Patch this run(DM)c Docker flaw or you be illin'... Tricky containers can root host boxes. It's like that – and that's the way it is

'Doomsday scenario' unless devops crowd walks this way

Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, has disclosed a serious vulnerability affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

"While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies...and that’s exactly what this vulnerability represents," said Scott McCarty, principal product manager for containers at Red Hat, in a blog post.

The flaw, designated CVE-2019-5736, was found by open source security researchers Adam Iwaniuk and Borys Popławski.

"The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host," said Sarai in a post to the OpenWall mailing list.

The attack involves replacing the target binary in the container with one that refers back to the runc binary. This can be done by attaching a privileged container (connecting it to the terminal) or starting it with a malicious image and making it execute itself.

But the Linux kernel normally would not allow the runc binary on the host to be overwritten while runc is executing.

"To overcome this, the attacker can instead open a file descriptor to /proc/self/exe using the O_PATH flag and then proceed to reopen the binary as O_WRONLY through /proc/self/fd/<nr> and try to write to it in a busy loop from a separate process," Sarai explains. "Ultimately it will succeed when the runc binary exits."

The attacker can then run any command as root within a container and can take over the container host.

Elderly woman and man holding a cardboard container

Docker invites elderly Windows Server apps to spend remaining days in supervised care

READ MORE

Sarai, one of the maintainers of runc, has pushed a git commit to fix the flaw, but all the projects built atop runc need to incorporate the changes. He also found that a variation of the flaw affects LXC, a Linux containerization tool that predates Docker, and that too has been patched.

Docker has just released v18.09.2 which fixes the flaw. Red Hat says default configurations of Red Hat Enterprise Linux as well as Red Hat OpenShift are protected but has mitigation advice for those who need to update. Rancher, maker of open source Kubernetes management software, has published a patching script for legacy versions of Docker.

Linux distributions Debian and Ubuntu are working on fixes. AWS and Google Cloud have posted security notices advising customers to update containers on a variety of affected services.

McCarty says this isn't the first major container runtime flaw and it won't be the last. "Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well," he said. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like