CVE-2019-5736 利用通用 runC 容器二进制文件逃逸到主机

CVE-2019-5736 allows for an escape to host attack in specific container configurations.

背景

A new vulnerability (CVE-2019-5736) was recently announced in runc, the runtime used by popular container platforms Docker and Kubernetes. The disclosure for this vulnerability details how a malicious container can escape its sandbox and execute arbitrary commands on the host. This attack does, however, come with some caveats, and isn’t exploitable in certain configurations that follow good security practices.

分析

In order to properly exploit this vulnerability, a malicious or compromised container would need to be deployed, and uid 0 would need to be mapped to that container. Docker has documentation for namespace configuration which, with proper application, prevents this attack from being exploitable on vulnerable hosts. The malicious container then either runs commands as root or piggybacks off an administrator running any other unrelated commands as root to exploit the host.

Many organizations use third-party prepackaged containers to solve business needs. An attacker could compromise one of these prepackaged containers with malicious code, or they could craft a malicious container that advertises itself as fulfilling some other needed enterprise function. This is the most likely way an external threat actor would be able to deploy a rogue container into an enterprise environment.

解决方案

Red Hat, Debian, Amazon Web Services (AWS), Google Cloud Platform (GCP), Docker, NVIDIA, and Kubernetes have published blogs or security advisories that include information about the vulnerability as well as the availability of security updates for this vulnerability. Building containers in a development environment, and scanning and securing them before production deployment will reduce the likelihood of inadvertently deploying malicious images. Also avoid using images running as root whenever possible to minimize risk.

The disclosure by the researchers includes the following mitigations:

• Setting SELinux to enforcing mode on containers prevents them from being able to overwrite the host runc binary (Note that researchers discovered that this does not work for Fedora based hosts.)
• If the host runc binary is set to read only, a malicious container wouldn’t be able to overwrite and exploit it.
• A low privileged user inside the container or a new user namespace with uid 0 mapped to that user removes write access to the runc binary on the host.

识别受影响的系统

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

获取更多信息

• CVE-2019-5736
• Dragon Sector Disclosure
• Docker Namespace Documentation
• Linux Namespace Explanation
• Red Hat Update Information
• Debian Update Information
• Amazon/AWS Update Information
• Google Update Information
• Docker Update Information
• Nvidia Update Information
• Kubernetes Update Information

加入 Tenable Community 中的 Tenable 安全响应团队

了解有关 Tenable 这款首创 Cyber Exposure 平台的更多信息，全面管理现代攻击面。

Get a free 60-day trial of Tenable.io Vulnerability Management.