A vulnerability in the runc run time which could allow a malicious container to gain root access to host machines seems set to cause a fraught Monday for container fans across the world.
Red Hat flashed an advisory as the US was waking up today, describing the bug – labelled CVE-2019-5736 – as “important”, and warning it “allows for a break out from the container to gain root-level access on the host machine.” It added it affects “both the docker and runc packages available on Red Hat Enterprise Linux 7”.
However, the impact will be much broader, as runc underpins Docker, containerd, Kubernetes and more, according to this announcement by runc maintainer Aleksa Sarai, who also provides details of a patch. Adam Iwaniuk and Borys Popławski are ID’d as the researchers who uncovered the flaw.
As Red Hat put it, “A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.”
Red Hat said it has delivered fixes in the Red Hat Enterprise Linux Extras channel. It also said that “Customers using docker (or docker-latest*) will need to update the docker package, which bundles its own version of runc. Customers using cri-o, podman, or any other container engine that depends on runc, will need to update the runc package.”
A Docker spokesperson told us: “There was a coordinated disclosure and Docker patched and shipped updates for both our community and enterprise versions of Docker Engine and in containerd.”
Sarai added, “I’ve discovered that LXC has a similar vulnerability, and they have also pushed a similar patch which we co-developed. LXC is a bit harder to exploit, but the same fundamental flaw exists.”
He added, “It is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations before-hand.”