Container Bug Allows Attackers to Gain Root Access on Host Machine

The container bug, difficult to exploit because it requires a malicious container to be installed on the system, affects nearly everyone using containers.

Christine Hall

February 12, 2019

2 Min Read
container bug

A security vulnerability affecting a key component of the container ecosystem has been discovered that can be exploited to give an attacker root access to the host operating system. The good news is that a specially crafted container needs to be operating on the system in order for the exploitation to take place, meaning physical access to the system is required.

The container bug, CVE-2019-5736, affects runc, the underlying container runtime for Docker, containerd, Kubernetes, cri-o and other container software, which means that nearly everyone running containers is affected. The vulnerability was discovered by researchers Adam Iwaniuk and Borys Popławski.

"This flaw allows an attacker who has a container to escape the container and then take control of the host and look around on the local storage," Chris Robinson, the program manager for Red Hat's Product Security Assurance, told ITPro Today. "Basically, jump out of a container and escalate its privileges to do more than it should."

That escalation of privileges includes root access, which is more than enough to ruin any sysadmin's day or week.

A patch for the vulnerability has already been released by upstream developers and is already available from most vendors. Red Hat, which initially broke the news Monday morning, told its users they were already partially protected from the bug because of the company's default use of security hardened SELinux, but are cautioning them to apply the patch as quickly as possible.

"I've been calling SELinux the spare tire," Robinson explained. "I would drive around on a spare tire for three days, or a week, or a month maybe, but I wouldn't drive around on a spare tire for a year. The good part about SELinux's secondary control is that it buys you time to patch before you get exploited."

Red Hat gives the vulnerability a security impact of "important" which is its default for otherwise low level vulnerabilities that can lead to privilege escalation. Otherwise, Robinson said, the vulnerability would probably receive a "low" or "medium" rating because of the difficulty required to take advantage of the exploit.

Container users shouldn't put-off applying the patch until their next scheduled maintenance update, however, as an in-the-wild exploit will probably come sooner rather than later. Aleksa Sarai, a runc maintainer who did work to verify the vulnerability and develop a patch, has released the exploit code to vendors to use for assurance that the patches work as advertised. The exploit code will be made publicly available on Feb. 18.

"It is quite likely that most container runtimes are vulnerable to this flaw," Sarai said in a post to an email list, "unless they took very strange mitigations before-hand."

About the Author(s)

Christine Hall

Freelance author

Christine Hall has been a journalist since 1971. In 2001 she began writing a weekly consumer computer column and began covering IT full time in 2002, focusing on Linux and open source software. Since 2010 she's published and edited the website FOSS Force. Follow her on Twitter: @BrideOfLinux.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like