Overview
CVE-2019-5736 is a high severity (CVSS score 8.6), privilege escalation vulnerability involving the runC runtime component. RunC is a “low level” container runtime specification used by many container platforms (including OpenShift, Kubernetes, and Docker) to create, run and perform operations on containers.
Details
CVE-2019-5736 affects specially-crafted containers running in default settings. It allows attackers to gain root-level code execution capabilities on the host by overwriting the host runC binary. It does this by leveraging the ability to execute commands as root within (i) Existing containers to which the attacker can attach (docker exec) (Note: the attacker must have write access to the container) (ii) New containers created with an attacker-controlled image The above instances may seem different, but they are both implemented similarly and require runC to spawn a new process in a container. In both instances, runC handles the running of a user-defined binary within the container. In most platforms and distributions, the binary is either docker exec’s argument when it’s attached to an existing container or the image’s entry point when starting a new container.
Affected Environments
All container engines running runC (versions 1.0 - rc6) can be exploited. This includes Red Hat Enterprise Linux 7 Extras Kubernetes Engine 1.0 - 1.12.5 Docker 1.0.0 -1.13.1 Redhat OpenShift Container Platform 3.4 - 3.7 VMWare PS 1.2 - 1.3.1 VMWare vSphere Integrated Containers 1.0 - 1.3 VMWare Integrated OpenStack with Kubernetes (VIO-K) 5.0 - 5.1 Amazon Web Services AWS Fargate Platform 1.0 - 1.7.1
Remediation
Patch systems with updated versions of the runC package. Safe versions for various engines include Docker - 18.09.2, 18.06.3, 18.03.1-ee-6, 17.06.2-ee-19 CoreOS - 2051.0.0 Amazon Linux - docker 18.06.1ce-7.25.amzn1.x86_64 RedHat Enterprise Linux - docker 1.13.1-91.git07f3374.el7 Debian - runc 0.1.1+dfsg1-2 Ubuntu - runc 1.0.0~rc4+dfsg1-6ubuntu0.18.10.1
Prevention
Leverage role-based access control (RBAC) to prevent unauthorized users from overwriting the runC file. Regularly update all machines to minimize the chance of exploitation Avoid running containers with root privileges, particularly for those with default configurations. Properly configure containers to ensure maximum security