Major Flaw in Runc Poses Mass Container Takeover RiskAttackers Could 'Break Out' via Runc Flaw to Compromise All Containers on Host
Several technology giants have issued fixes for a dangerous vulnerability that could allow a malicious container to "break out" and gain root control of a host system. The emergency updates from Red Hat, Google, Amazon and others demonstrate that while containers are an increasingly used computing resource, any underlying flaws pose a serious data security risk.
Containers refer to a standardized way to package application code, configurations and dependencies into what's known as an object. "Containers share an operating system installed on the server and run as resource-isolated processes, ensuring quick, reliable and consistent deployments, regardless of environment," according to Amazon Web Services.
But a flaw, CVE-2019-5736, has been found in runc, a lightweight tool for spawning and running containers. The flaw could be exploited by a remote attacker to execute arbitrary code in the environment.
In other words, the knock-on effects resulting from this vulnerability and anyone who successfully exploits it could be severe, writes Scott McCarty, Red Hat's technical product manager for the container subsystem team.
"A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that's exactly what this vulnerability represents," he writes. "Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds to thousands of other containers running on it."
Root-Level Code Execution
Runc is used across many of the popular container platforms, including Docker, cri-o, containerd and Kubernetes, says Aleksa Sarai, one of the maintainers of runc and a senior software engineer with SUSE Linux GmbH. Sarai says the runc flaw also affects LXC, and Apache Mesos has said that it, too, is affected.
Credit for discovering the flaw goes to security researchers Adam Iwaniuk and Borys Poplawski, Sarai says.
"The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host," Sarai writes.
"Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds to thousands of other containers running on it."
—Scott McCarty, Red Hat
In order to mount an attack, a malicious container would have to be deployed. Containers that aren't running as root are not affected.
Sarai published a patch as well as generic exploit code that he says vendors requested to ensure customized patches are effective. More specific exploit code will be released on Feb. 18, he says.
Meanwhile, here's what users of specific services need to do:
- Amazon: In a security advisory, Amazon says most administrators don't need to take any action, with the exception of users of 11 specific Amazon Web Services offerings. Some of those services may require tweaks, such as launching new instances or following other specifics that are detailed in the advisory.
- Red Hat: McCarty of Red Hat says the flaw likely won't affect many of its customers, because SELinux - short for security-enhanced Linux - running in targeted enforcing mode would prevent the flaw from being exploited. Red Hat also issued an advisory.
- Google: In its advisory, Google writes that "Kubernetes Engine (GKE) Ubuntu nodes are affected by these vulnerabilities, and we recommend that you upgrade to the latest patch version as soon as possible, as we detail below."
- Docker: The same advice applies to popular containerization vendor Docker. It issued an update on Monday - version 18.09.2 - that includes a patch for the flaw.
Containers Are Targets
This isn't the first time a major flaw has been found in a container runtime, and it's unlikely to be the last, especially as container popularity keeps rising, McCarty writes.
"Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like Docker will now experience additional scrutiny from researchers and potentially malicious actors as well," he writes.
In December 2018, a security researcher revealed a severe vulnerability in Kubernetes, popular open-source software for managing Linux applications deployed within containers. The privilege escalation flaw could allow an attacker to steal data or disrupt production applications. In response, Kubernetes service providers rushed to put fixes into place (see: Kubernetes Alert: Security Flaw Could Enable Remote Hacking).
(Executive Editor Mathew Schwartz also contributed to this report.)