Major Flaw in Runc Poses Mass Container Takeover Risk

Application Security , Containerization & Sandboxing , Data Breach

Attackers Could 'Break Out' via Runc Flaw to Compromise All Containers on Host(jeremy_kirk) • February 12, 2019    Major Flaw in Runc Poses Mass Container Takeover RiskPhoto: Ian Brown via Flickr/CC

A slew of technology giants have issued fixes for a dangerous vulnerability that could allow a malicious container to "break out" and gain root control of a host system. The emergency updates from the likes of Red Hat, Google and Amazon demonstrate that while containers are a popular and increasingly used computing resource, any underlying flaws pose a serious data security risk.

See Also: Sunset of Windows Server 2008: Migrate with Docker

Containers refer to a standardized way to package application code, configurations and dependencies into what's known as an object. "Containers share an operating system installed on the server and run as resource-isolated processes, ensuring quick, reliable and consistent deployments, regardless of environment," according to Amazon Web Services.

But a flaw, CVE-2019-5736, has been found in runc, which is a lightweight tool for spawning and running containers. The flaw could be exploited by a remote attacker to execute arbitrary code in the environment.

imageScott McCarty

In other words, the knock-on effects resulting from this vulnerability and anyone who successfully exploits it could be severe, writes Scott McCarty, Red Hat's technical product manager for the container subsystem team.

"A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that's exactly what this vulnerability represents," he writes.

"Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it," McCarty writes.

Root-Level Code Execution

Runc gets used across many of the popular container platforms, including Docker, cri-o, containerd and Kubernetes, says Aleksa Sarai, one of the maintainers of runc and a senior software engineer with SUSE Linux GmbH. Sarai says the runc flaw also affects LXC, and Apache Mesos has said that it too is affected.

Credit for discovering the flaw goes to security researchers Adam Iwaniuk and Borys Poplawski, Sarai says.

"The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host," Sarai writes.

"Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it."
—Scott McCarty, Red Hat

In order to mount an attack, a malicious container would have to be deployed. Containers that aren't running as root are not affected.

Sarai published a patch as well as generic exploit code that he says vendors requested to ensure customized patches are effective. More specific exploit code will be released on Feb. 18, he says.

Meanwhile, here's what users of specific services need to do:

Amazon: In a security advisory, Amazon says most administrators don't need to take any action, with the exception of users of 11 specific Amazon Web Services offerings. Some of those services may require tweaks, such as launching new instances or following other specifics that are detailed in the advisory. Red Hat: McCarty of Red Hat says the flaw likely won't affect many of its customers, as SELinux - short for security-enhanced Linux - running in targeted enforcing mode would prevent the flaw from being exploited. Red Hat also issued an advisory. Google: In its advisory, Google writes that "Kubernetes Engine (GKE) Ubuntu nodes are affected by these vulnerabilities, and we recommend that you upgrade to the latest patch version as soon as possible, as we detail below." Docker: The same advice applies to popular containerization vendor Docker. It issued an update on Monday - version 18.09.2 - that includes a patch for the flaw.

Containers Are Targets

This isn't the first time a major flaw has been found in a container runtime and it's unlikely to be the last, especially as container popularity keeps rising, McCarty writes.

"Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like Docker will now experience additional scrutiny from researchers and potentially malicious actors as well," he writes.

In December 2018, a security researcher revealed a severe vulnerability in Kubernetes, which is popular open-source software for managing Linux applications deployed within containers. The privilege escalation flaw could allow an attacker to steal data or disrupt production applications. In response, Kubernetes service providers rushed to put fixes into place (see Kubernetes Alert: Security Flaw Could Enable Remote Hacking).

Executive Editor Mathew Schwartz also contributed to this report.