Enterprises have been urged to patch a serious flaw in runc, the default runtime for Docker and Kubernetes, and ensure they have SELinux enabled.
Aleksa Sarai — one of the maintainers for runc — made the initial announcement on Tuesday, attributing the discovery to researchers Adam Iwaniuk and Borys Poplawski. The runc runtime also supports containerd, Podman, CRI-O and countless other container offerings.
“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,” said Sarai.
“The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: creating a new container using an attacker-controlled image; attaching (docker exec) into an existing container which the attacker had previous write access to.”
RedHat senior principal product manager for containers, Scott McCarty, described this as a “bad scenario” for IT managers and CXOs.
“Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” he added.
“A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.”
However, organizations with SELinux enabled, as it is by default in RedHat, will be safe, he confirmed.
“This vulnerability (CVE-2019-5736) demonstrates that container security is Linux security. The same steps that must be taken to better secure a Linux system need to be taken with container hosts and images, preferably by constructing layers of defense," McCarty continued. "In this particular case, SELinux mitigates the escape and buys users valuable time to patch and shows just how important the selection of each layer of your container environment can be, from Kubernetes orchestration with OpenShift down to the Linux kernel in Red Hat Hat Enterprise Linux.”
The same vulnerability also affects LXC and Apache Mesos containers, meaning virtually any organization running containers should get patching urgently.
“This isn’t the first major flaw in a container runtime to come to light and, as container deployments and interest in associated technologies increase, it’s unlikely to be the last,” said McCarty.
“Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well.”