Researchers Find ‘Doomsday’ Bug In Docker, Most Other Container Systems

Researchers have uncovered a serious bug in Docker and other popular operating system-level virtualisation tools that could allow a malicious container to take over a host system.

Aleksa Sarai, one of the maintainers of runc, the default container runtime built into Docker, cri-o, containerd, Kubernetes and other tools, said the takeover issue is not unique to runc and that “it is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand”.

Sarai said the Linux-oriented LXC container tool is vulnerable to a more convoluted version of the bug and that Apache Mesos is also affected.

He said the issue, discovered by researchers Adam Iwaniuk and Borys Poplawski, can be exploited with “minimal” user interaction.

‘Doomsday scenario’

“The level of user interaction is being able to run any command… as root within a container in either of these contexts: creating a new container using an attacker-controlled image… (or) attaching (docker exec) into an existing container which the attacker had previous write access to,” Sarai wrote in an advisory.

Containers have become a popular way of dividing up computing resources and one of their features is that, in theory, each container should function as a distinct system with limited access to other containers or to the host system.

That makes any potential access by a malicious container to a host or to other containers particularly serious.

“Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” wrote Red Hat technical product manager for containers Scott McCarty.

“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies… and that’s exactly what this vulnerability represents.”

Exploit code

Sarai said the bug, tracked as CVE-2019-5736, is not blocked by the default AppArmor policy or by the default SELinux policy on Fedora, but is blocked in cases where user namespaces are used correctly.

Amazon Web Services has said that a patch is available for Amazon Linux, but that it is still creating patches for Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate.

Sarai released a patch for runc and said exploit code is available for vendors to use in testing their systems. He said the exploit code would be released publicly on 18 February.

“If you have a container runtime, please verify that you are not vulnerable to this issue beforehand,” he wrote.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Boeing Starliner Launches Successfully, On Route To International Space Station

Boeing's crewless space taxi, CST-100 Starliner, one step closer to NASA certification, as it enters…

1 day ago

Apple Accused By Union Of Staff Law Violations At NY Store

Staff at Apple's World Trade Centre store in New York are allegedly being questioned and…

2 days ago

Canada To Join Five Eyes 5G Ban On Huawei/ZTE

Making it official. Canada is to turn its unofficial ban on 5G kit from Huawei…

2 days ago

Twitter To Hide Tweets That Share False Information During A Crisis

Potentially risking Elon's wrath over free speech, Twitter says it will hide tweets spreading misinformation…

2 days ago

Boeing Starliner Test Flight Readied For Tonight

Third time the charm? Main rival to SpaceX's Dragon capsule, the embattled Boeing Starliner spacecraft,…

2 days ago

September 13 Slated For iPhone 14 Launch – Report

No surprise there. Apple is slated to launch the iPhone 14 on 13 September according…

2 days ago