The bug, dubbed CVE-2019-5736, allows an infected container to overwrite the host runC binary and gain root-level code access on the host. This would basically allow the infected container to gain control of the overarching host container and allow an attacker to execute any command.
“It is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand,” explained Aleksa Sarai, a senior software engineer at SUSE and a maintainer for runC, in an email posted on Openwall. Sarai added that the flaw is blocked by the proper implementation of user namespaces “where the host root is not mapped into the container’s user namespace.”
The bug has received an “important” impact rating from some vendors. Sarai said the flaw has a 7.2 out of 10 CVSSv3 vector score.
A patch for the flaw has been developed and is being sent out to the runC community. A number of vendor and cloud providers have already taken steps to implement the patch.
RunC was initially spun out of work done by Docker Inc. It’s an Open Container Initiative (OCI)-compliant command line interface (CLI) tool for spawning and running containers.
While not specific to the Kubernetes ecosystem, the latest flaw follows on the heels of a “critical” flaw found in the container orchestration platform late last year. That bug impacted all Kubernetes-based products and services, and it gives hackers full administrative privileges on any compute node being run in a Kubernetes cluster.
A patch was quickly developed and released, but most note that they expect more bugs to be found.
“There are always going to be vulnerabilities,” Rani Osnat, vice president of product marketing at Aqua Security, told SDxCentral during the KubeCon + CloudNativeCon North America 2018 event in Seattle. “The fact that one was found was to be expected. And I expect more will be found going forward. That’s just what should be expected with software.”
Cloud security provider Lacework last year found more than 21,000 open container orchestration and API management systems on the internet that were vulnerable as attack points for possible hacking. Those open systems included deployments using Kubernetes, Docker Inc.’s Swarm, Mesos Marathon, Red Hat OpenShift, Portain.io, and Swarmpit.
There are also overhanging chip security concerns tied to the Spectrum, Meltdown, and Foreshadow bugs that are keeping the Linux kernel community busy.