The bug could allow a malicious container to attack a host system and the other containers found on it, qualifying as a ‘doomsday scenario’
Aleksa Sarai, one of the maintainers of runc, the default container runtime built into Docker, cri-o, containerd, Kubernetes and other tools, said the takeover issue is not unique to runc and that “it is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand”.
Sarai said the Linux-oriented LXC container tool is vulnerable to a more convoluted version of the bug and that Apache Mesos is also affected.
He said the issue, discovered by researchers Adam Iwaniuk and Borys Poplawski, can be exploited with “minimal” user interaction.
“The level of user interaction is being able to run any command… as root within a container in either of these contexts: creating a new container using an attacker-controlled image… (or) attaching (docker exec) into an existing container which the attacker had previous write access to,” Sarai wrote in an advisory.
Containers have become a popular way of dividing up computing resources and one of their features is that, in theory, each container should function as a distinct system with limited access to other containers or to the host system.
That makes any potential access by a malicious container to a host or to other containers particularly serious.
“Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” wrote Red Hat technical product manager for containers Scott McCarty.
“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies… and that’s exactly what this vulnerability represents.”
Sarai said the bug, tracked as CVE-2019-5736, is not blocked by the default AppArmor policy or by the default SELinux policy on Fedora, but is blocked in cases where user namespaces are used correctly.
Amazon Web Services has said that a patch is available for Amazon Linux, but that it is still creating patches for Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate.
Sarai released a patch for runc and said exploit code is available for vendors to use in testing their systems. He said the exploit code would be released publicly on 18 February.
“If you have a container runtime, please verify that you are not vulnerable to this issue beforehand,” he wrote.