Yesterday it was disclosed that a new high severity (CVSS score 7.2) vulnerability (CVE-2019-5736) was found in runc, that allows an attacker to potentially compromise the container host. Patches are already available from most providers (see below). Aqua customers can also prevent this vulnerability from being exploited by applying the appropriate runtime policies.
What is the vulnerability and what impact could it have?
This is a container escape vulnerability that is caused by runc, the container runtime piece used by many container platforms (including Docker, Kubernetes and OpenShift).
Runc is used by just about every container engine – it’s a fundamental component of basic Linux container implementations, it actually “runs” a given container and there is tight coupling between the features offered in runc and the Linux kernel. The vulnerability allows a malicious container to overwrite the host runc binary and gain root-level code execution capability on the host.
Although an exploit POC hasn’t been released yet, here at Aqua we created one that successfully exploits the vulnerability. The video below shows how it works to provide the attacker root access to the Linux host:
The vulnerability can be exploited through a container that runs as root. It cannot be exploited from the network – an actual malicious container will need to be executed on your system in order for this vulnerability to take effect. For a more in-depth walkthrough of how this works, read Brauner’s blog.
The ramifications of a successful exploit of this CVE are significant. If an attacker successfully manages to gain root access to the host, he can run his own malware on the host, gain additional credentials, and attempt to traverse the network to gain access to other hosts.
What can be done?
You should patch your systems with a new version of Docker and RunC. The following updates were published by the various vendors:
Ubuntu - runc 1.0.0~rc4+dfsg1-6ubuntu0.18.10.1
Debian - runc 0.1.1+dfsg1-2
RedHat Enterprise Linux - docker 1.13.1-91.git07f3374.el7 (if SELinux is disabled)
Amazon Linux - docker 18.06.1ce-7.25.amzn1.x86_64
CoreOS - 2051.0.0
Docker - 18.09.2
Kubernetes advisory
Note that there is no need to patch your container images – you should only patch your hosts.
How can Aqua mitigate this vulnerability?
Aqua customers can mitigate the vulnerability and its risks using several Aqua capabilities:
Host Scanning:
First thing is to identify which hosts are vulnerable. This can be done by Aqua running a vulnerability scan of the host, something that is done automatically on every host where an Aqua Enforcer is deployed.
Container Runtime Protection:
You can create a runtime protection policy that detects when a container with the potential of exploiting this vulnerability is executed. Some of the Aqua controls that can help here:
- Prevent container from running the runc process. This can be done by adding the list of
RunC
process names into the container blacklist processes:/usr/bin/runc, /usr/bin/docker-runc, /usr/sbin/runc
- Prevent untrusted containers from running in your environment. All containers will need to pass a vulnerability assessment and should be signed an approved before being able to run.
- Prevent running containers with
roo
t user. - Prevent running containers that share the host’s user namespace (meaning – only containers that run with the user namespace feature will be allowed to run).
As you can see below – a single Aqua Runtime policy can monitor for all of these actions (when set to Audit mode) or prevent exploitation (when set to Enforce mode).
Aqua’s CVE lookup can show you all the vulnerable packages and distributions that are affected by this CVE:
We encourage our customers to take both actions: patch your systems, and implement the above controls in Aqua to ensure that no hosts remain vulnerable.