A security vulnerability affecting a key component of the container ecosystem has been discovered that can be exploited to give an attacker root access to the host operating system. The good news is that a specially crafted container needs to be operating on the system in order for the exploitation to take place, meaning physical access to the system is required.
The container bug, CVE-2019-5736, affects runc, the underlying container runtime for Docker, containerd, Kubernetes, cri-o and other container software, which means that nearly everyone running containers is affected. The vulnerability was discovered by researchers Adam Iwaniuk and Borys Popławski.
"This flaw allows an attacker who has a container to escape the container and then take control of the host and look around on the local storage," Chris Robinson, the program manager for Red Hat's Product Security Assurance, told ITPro Today. "Basically, jump out of a container and escalate its privileges to do more than it should."
That escalation of privileges includes root access, which is more than enough to ruin any sysadmin's day or week.
A patch for the vulnerability has already been released by upstream developers and is already available from most vendors. Red Hat, which initially broke the news Monday morning, told its users they were already partially protected from the bug because of the company's default use of security hardened SELinux, but are cautioning them to apply the patch as quickly as possible.
"I've been calling SELinux the spare tire," Robinson explained. "I would drive around on a spare tire for three days, or a week, or a month maybe, but I wouldn't drive around on a spare tire for a year. The good part about SELinux's secondary control is that it buys you time to patch before you get exploited."
Red Hat gives the vulnerability a security impact of "important" which is its default for otherwise low level vulnerabilities that can lead to privilege escalation. Otherwise, Robinson said, the vulnerability would probably receive a "low" or "medium" rating because of the difficulty required to take advantage of the exploit.
Container users shouldn't put-off applying the patch until their next scheduled maintenance update, however, as an in-the-wild exploit will probably come sooner rather than later. Aleksa Sarai, a runc maintainer who did work to verify the vulnerability and develop a patch, has released the exploit code to vendors to use for assurance that the patches work as advertised. The exploit code will be made publicly available on Feb. 18.
"It is quite likely that most container runtimes are vulnerable to this flaw," Sarai said in a post to an email list, "unless they took very strange mitigations before-hand."