What is the vulnerability?
Recently Aleksa Sarai, one of the maintainers of the runc container environment runtime, announced a critical vulnerability affecting multiple popular container environments including docker, Kubernetes, and cri-o. Aleksa Sarai described this as a “runc container breakout” vulnerability that affects not only runc, but also Apache Mesos, LXC, and possibly other container runtimes. In fact, it is considered likely that this issue would exist in most other container runtimes unless, as Aleksa phrased it, “they took very strange mitigations before-hand.”
This vulnerability, announced on Tuesday, February 19th, 2019, is tracked as CVE-2019-5736 (additional distro-specific links are provided below).
As far as vulnerabilities go, this is generally considered the worst case scenario for a container environment, allowing full access to the host from a compromised container.
It should be also be noted that while generic exploit code was provided in the Aleksa’s email to the oss-security mailing list, more detailed exploit code was to be made publicly available on or after 2019-02-18. That means that now anyone can use the example code to craft their own attempt to exploit this vulnerability on unpatched systems. Sure, you would have to be running an already compromised container in order for this to affect you, but if we’ve learned anything over the years it’s that security is only a matter of when, not if!
Take the incredibly popular and respected PHP package PEAR, for example: Their website was compromised for several months (suspected up to 6 months) and an incalculable number of compromised packages were distributed. Pear.net was subsequently disabled for a time and appears to have been restored without their initial announcement, but you can see record of the event at cPanel’s breakdown, among many others.
So assume nothing and presume nothing - update your server(s) or continue to be vulnerable. And as we all know, only one of those choices is a good one.
If you need assistance in updating your server, or identifying if an update is available, please contact the Cozaq support team and we’ll be happy to assist you!
Who should be concerned?
Anyone running a containerized environment or running on a container, even if you do not control the parent environment. Examples of services utilizing container environments are Amazon AWS, Databricks, and Microsoft Azure, while generally most systems administrators would know if they are themselves utilizing a container environment. (Don’t worry, each of these service providers have taken the appropriate steps to correct the issue, as we include in our list below.)
What should be done?
As is the case with most vulnerabilities, the answer here is simple: update your operating system and/or container environment. If you are unsure if you are affected, please see the article list below, contact your hosting or managed services provider(s). If you’re a Cozaq customer, or want to inquire about our services, contact the Cozaq support or sales teams for more information.
Related publications
- Original CVE-2019-5736 patch notification
https://seclists.org/oss-sec/2019/q1/119 - Red Hat
https://access.redhat.com/security/vulnerabilities/runcescape - Ubuntu
https://www.ubuntuupdates.org/package/core/bionic/universe/updates/runc - Amazon AWS
https://alas.aws.amazon.com/ALAS-2019-1156.html - Kubernetes
https://kubernetes.io/blog/2019/02/11/runc-and-cve-2019-5736/ - US_CERT release
https://www.us-cert.gov/ncas/current-activity/2019/02/11/runc-Open-Source-Container-Vulnerability - unRAID
https://forums.unraid.net/topic/77883-cve-2019-5736-runc-vulnerability-with-docker/
Update: https://forums.unraid.net/topic/78204-unraid-os-version-667-available/ - Databricks
https://databricks.com/blog/2019/02/19/databricks-security-advisory-critical-runc-vulnerability-cve-2019-5736.html - Microsoft Azure
https://azure.microsoft.com/en-in/updates/cve-2019-5736-and-runc-vulnerability/