RunC Security Flaw could allow cascading attacks
RunC, a fundamental component of container technologies like Docker and Kubernetes, patched a vulnerability that would allow root level code execution, container escape and access to the host filesystem. Adam Iwaniuk and Borys Popławski discovered the vulnerability which allows a malicious container to overwrite the host RunC binary and gain root level code execution on the host. Details of the flaw can be read on the NIST posting CVE-2019-5736.
A hacker with local access to the affected system can exploit the flaw by tricking users to run malicious or modified containers on their systems. A hacker could create a new container using a malicious software image, or could add any container command into an existing container that they have write access to. From there, the hacker needs to trick a user to run the weaponized container within their environment. This vulnerability overwrites the RunC, binary which is a CLI tool used for starting and running containers. This could allow hackers to run new containers, exhaust resources or gain access to existing containers.
RunC is the open-source underlying container runtime that powers popular container technologies like Docker and Kubernetes. Containers allow applications to be more agile and on-demand, and have become a standard for architecting cloud services, embraced by enterprises worldwide as well as Amazon Web Services, Microsoft Azure and other cloud providers. The impact ma be huge due to the interconnectedness of container-based cloud infrastructure. Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment affecting the entire container host, ultimately compromising thousands of other containers running on it.
By default, Red Hat products are protected by SELinux in enforcing mode. The vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy in the moby-engine package on Fedora. Fedora's docker and podman packages are protected. Related container projects like Apache Mesos and LXC have similar vulnerabilities. The systemd-nspawn project isn't vulnerable because it's method of attaching to a container is different from LXC and RunC. AWS issued a security bulletin and patches for its platforms that use RunC.
Container security has become an important issue lately. Researchers hacked the Docker test platform called Playwith-Docker, allowing them to access data and manipulate any test Docker containers running on the host system. Last year, 17 malicious Docker images were pulled from the Docker Hub image repository. Researchers couldn't say for sure how many times the malicious containers were used by Docker Hub users, but Kromtech estimates that the 17 images were downloaded collectively 5 million times during the year they were available. Docker patched a privilege escalation vulnerability that could also have lead to container escapes last year. In fact, 60 percent of respondents in a recent survey admitted that their organizations had been hit with at least one container security incident within the past year. In companies with more than 100 containers in place, that percentage rises to 75 percent.