A severe vulnerability has been detected in run containers or “runc”. The vulnerability allows malicious containers to gain root-level code execution on the host. It can run any command (it does not need to be attacker-controlled) as root within a container in either of the following contexts:
- Creating a new container using an attacker-controlled image.
- Attaching (docker exec) into an existing container which the attacker had previous write access to.
This vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it is blocked through correct use of user namespaces (where the host root is not mapped into the container’s user namespace).
Severity
Critical
CVE Number
CVE–2019-5736
Impacted Platforms
- All directly hosted services and SaaS or PaaS solutions engaged with runc. They will need to be patched.
- Red Hat, Debian, LXC and Ubuntu
- Amazon Products
-
- Amazon Linux running Docker
- Some Amazon ECS Optimized AMIs
- Amazon Elastic Container Service for Kubernetes (Amazon EKS)
- AWS Fargate
- AWS IoT Greengrass
- AWS Batch
- AWS Elastic Beanstalk
- AWS Cloud9
- AWS SageMaker
- AWS RoboMaker
- AWS Deep Learning AMI
- Google Kubernetes Engine (GKE) Ubuntu
Recommended actions
- Please patch as soon as possible when updates and mitigations become available from application vendors
- If you are consuming any SaaS solutions hosted in Amazon or Google, ask your SaaS provider how they are addressing this vulnerability
- A backport of patches of older versions of runc that were packaged with Docker can be found in the GitHub repository
- Contact security@ubc.ca if you have any questions
More information
- News article: https://www.securityweek.com/container-escape-flaw-hits-aws-google-cloud-linux-distros
- runc: https://github.com/opencontainers/runc
- US-CERT Advisory: https://www.us-cert.gov/ncas/current-activity/2019/02/11/runc-Open-Source-Container-Vulnerability
- runc Security Advisory: https://www.openwall.com/lists/oss-security/2019/02/11/2
- RedHat Blog Post: https://www.redhat.com/en/blog/it-starts-linux-how-red-hat-helping-counter-linux-container-security-flaws
- Google Kubernetes Engine Security Bulletins: https://cloud.google.com/kubernetes-engine/docs/security-bulletins
- Amazon Web Services Blog Post: https://aws.amazon.com/security/security-bulletins/AWS-2019-002/