runc Container Escape Vulnerability: CVE-2019-5736

runC is a lightweight portable container runtime. Its designed to create containers as per Open Container Initiative (OCI). A vulnerability in runC module allows a crafted (malicious) container (created using runC) to overwrite the host OS runC binary. The compromised host runC module can be further used to execute root commands on the host OS. The attack can be launched via an already running container to which the attacker has write access or starting a new container with a specially crafted image. This vulnerability can be exploited only by privileged containers. CVE-2019-5736 has been assigned to track this issue. The vulnerability affects runC versions through 1.0-rc6. Any deployments using runC is susceptible to this vulnerability.

To exploit CVE-2019-5736 an attacker would need to target a binary within a container and replace it with a custom binary pointing to runC. For eg /bin/bash can be replaced with script with interpreter #!/proc/self/exe, it is a symbolic link pointing to the executed command/process. When any process executes /bin/bash it will in turn execute /proc/self/exe , this will target the runC binary on the host OS. runC cannot be overwritten while it is executing. To achieve this attacker will need a polling process that checks for suitable conditions and then proceeds to overwrite the target. Most likely the attack will through when runC binary exits.

We request organization apply the latest fixes provided the respective vendors. Qualys will release the QIDs listed below to address the CVE-2019-5736.

QID Description
371641 Runc Container Breakout Vulnerability
237121 Red Hat Update for docker (RHSA-2019:0304)
237120 Red Hat Update for runc (RHSA-2019:0303)
351500 Amazon Linux Security Advisory for docker: ALAS-2019-1156

Qualys will continue to add more detections as vendors release their patches to address this vulnerability.

Please continue to follow Qualys Threat Protection for more coverage on this vulnerability.

CVE-2019-5736 (runC): rexec callers as memfd
opencontainers/runc patch

Leave a Reply

Your email address will not be published. Required fields are marked *