Researchers Find ‘Doomsday’ Bug In Docker, Most Other Container Systems

Researchers have uncovered a serious bug in Docker and other popular operating system-level virtualisation tools that could allow a malicious container to take over a host system.

Aleksa Sarai, one of the maintainers of runc, the default container runtime built into Docker, cri-o, containerd, Kubernetes and other tools, said the takeover issue is not unique to runc and that “it is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand”.

Sarai said the Linux-oriented LXC container tool is vulnerable to a more convoluted version of the bug and that Apache Mesos is also affected.

He said the issue, discovered by researchers Adam Iwaniuk and Borys Poplawski, can be exploited with “minimal” user interaction.

‘Doomsday scenario’

“The level of user interaction is being able to run any command… as root within a container in either of these contexts: creating a new container using an attacker-controlled image… (or) attaching (docker exec) into an existing container which the attacker had previous write access to,” Sarai wrote in an advisory.

Containers have become a popular way of dividing up computing resources and one of their features is that, in theory, each container should function as a distinct system with limited access to other containers or to the host system.

That makes any potential access by a malicious container to a host or to other containers particularly serious.

“Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” wrote Red Hat technical product manager for containers Scott McCarty.

“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies… and that’s exactly what this vulnerability represents.”

Exploit code

Sarai said the bug, tracked as CVE-2019-5736, is not blocked by the default AppArmor policy or by the default SELinux policy on Fedora, but is blocked in cases where user namespaces are used correctly.

Amazon Web Services has said that a patch is available for Amazon Linux, but that it is still creating patches for Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate.

Sarai released a patch for runc and said exploit code is available for vendors to use in testing their systems. He said the exploit code would be released publicly on 18 February.

“If you have a container runtime, please verify that you are not vulnerable to this issue beforehand,” he wrote.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Ericsson To Cut 1,200 Jobs in Sweden Amid ‘Challenging’ Market

Swedish telecoms giant Ericsson blamed “challenging mobile networks market” and “further volume contraction” for job…

14 hours ago

FTX’s Sam Bankman-Fried Sentenced To 25 Years In Prison For $8bn Fraud

Dramatic downfall. Sam Bankman-Fried sentenced to 25 years in prison for masterminding $8bn fraud that…

15 hours ago

Elon Musk Orders FSD Demo For Every Tesla US Sale

Fallout avoidance? Tesla buyers in the US must be shown how to use the FSD…

16 hours ago

Amazon Pumps Another $2.75 Billion Into Anthropic

Amazon completes its $4bn investment into AI firm Anthropic, after providing an additional $2.75bn in…

18 hours ago

The Sustainability of AI

While AI promises unparalleled efficiency, productivity, and innovation, questions regarding its environmental impact loom large.…

21 hours ago

Trump’s Truth Social Makes Successful Market Debut

Shares in Donald Trump’s social media company rose about 16 percent after first day of…

21 hours ago