Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News RunC Bug Enables Malicious Containers to Gain Root Access on Hosts

RunC Bug Enables Malicious Containers to Gain Root Access on Hosts

Security researchers have discovered a critical bug in runC - a lightweight CLI tool for spawning containers according to the OCI specification - which allows the attackers to escape the container and gain administrative privileges on the host, rendering it vulnerable.

The bug (CVE-2019-5736), discovered by Adam Iwaniuk and Borys Popławsk of Dragon Sector, a Polish security Capture The Flag team, "allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host," explained Aleksa Sarai, a senior software engineer at SUSE Linux who is also one of the maintainers of runC. Sarai added that "It is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand." Yet, he adds further, correct use of user namespaces "where the host root is not mapped into the container's user namespace" blocks this flaw.

The maintainers of runC have already made a fix available to resolve the security flaw. Docker has released version v18.09.2 addressing the issue. It recommends immediately applying the update to avoid any potential security threats. Many vendors and cloud service providers, including Google, Amazon, and Kubernetes have issued security bulletins on mitigating the issue.

The researchers who discovered the flaw have explained it in detail in their blog post. The proof-of-concept exploit code for the vulnerability is now available on GitHub.

The runC team has assigned a CVSSv3 vector score of 7.2 to the bug. Red Hat Product Security gave it a severity rating of "important impact", which "is given to flaws that can easily compromise the confidentiality, integrity, or availability of resources."

According to Scott McCarty, senior principal product manager for containers at Red Hat, the disclosure of this flaw "illustrates a bad scenario for many IT administrators, managers, and CxOs." He notes in his blog that "Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it. A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that's exactly what this vulnerability represents." But he also mentions that SELinux in targeted enforcing mode mitigates this vulnerability for most Red Hat technologies.

The bug has captured the attention of developers working in the container virtualization sphere. Several of them have taken to forums like Twitter, Reddit and HackerNews to understand the implications of the discovery of the bug as well as the underlying malpractices such as running privileged containers, running processes as root and so on. The general advice for developers is to run processes under their own user and use only verified images to spawn the containers.

The topic of container security has been in spotlight of late. Early last year, 17 malicious Docker images were pulled down from the Docker Hub image repository after reports of them being actively used in illegal cryptomining activity came out. In December 2018, a critical flaw was discovered in Kubernetes which could allow "a malicious user to gain full administrator privileges on any computer node in a Kubernetes pod". A patch was immediately released in response.

Rate this Article