CVE-2019-5736 Exploits the Common runc Container Binary to Escape to Host
CVE-2019-5736 allows for an escape to host attack in specific container configurations.
Hintergrund
A new vulnerability (CVE-2019-5736) was recently announced in runc, the runtime used by popular container platforms Docker and Kubernetes. The disclosure for this vulnerability details how a malicious container can escape its sandbox and execute arbitrary commands on the host. This attack does, however, come with some caveats, and isn’t exploitable in certain configurations that follow good security practices.
Analyse
In order to properly exploit this vulnerability, a malicious or compromised container would need to be deployed, and uid 0 would need to be mapped to that container. Docker has documentation for namespace configuration which, with proper application, prevents this attack from being exploitable on vulnerable hosts. The malicious container then either runs commands as root or piggybacks off an administrator running any other unrelated commands as root to exploit the host.
Many organizations use third-party prepackaged containers to solve business needs. An attacker could compromise one of these prepackaged containers with malicious code, or they could craft a malicious container that advertises itself as fulfilling some other needed enterprise function. This is the most likely way an external threat actor would be able to deploy a rogue container into an enterprise environment.
Lösung
Red Hat, Debian, Amazon Web Services (AWS), Google Cloud Platform (GCP), Docker, NVIDIA, and Kubernetes have published blogs or security advisories that include information about the vulnerability as well as the availability of security updates for this vulnerability. Building containers in a development environment, and scanning and securing them before production deployment will reduce the likelihood of inadvertently deploying malicious images. Also avoid using images running as root whenever possible to minimize risk.
The disclosure by the researchers includes the following mitigations:
- Setting SELinux to enforcing mode on containers prevents them from being able to overwrite the host runc binary (Note that researchers discovered that this does not work for Fedora based hosts.)
- If the host runc binary is set to read only, a malicious container wouldn’t be able to overwrite and exploit it.
- A low privileged user inside the container or a new user namespace with uid 0 mapped to that user removes write access to the runc binary on the host.
Identifizieren betroffener Systeme
A list of Nessus plugins to identify this vulnerability will appear here as they’re released.
Weitere Informationen
- CVE-2019-5736
- Dragon Sector Disclosure
- Docker Namespace Documentation
- Linux Namespace Explanation
- Red Hat Update Information
- Debian Update Information
- Amazon/AWS Update Information
- Google Update Information
- Docker Update Information
- Nvidia Update Information
- Kubernetes Update Information
Verfolgen Sie die Beiträge des Security Response Team von Tenable in der Tenable Community.
Erfahren Sie mehr über Tenable, die erste Cyber Exposure-Plattform für die ganzheitliche Verwaltung Ihrer modernen Angriffsoberfläche.
Get a free 60-day trial of Tenable.io Vulnerability Management.
Verwandte Artikel
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Strengthening the Nessus Software Supply Chain with SLSA
April 16, 2024You know Tenable as a cybersecurity industry leader whose world-class exposure management products are trusted by our approximately 43,000 customers, including about 60% of the Fortune 500. But sometimes we like to give you a peek behind the curtain to share how we protect our own house against cyberattacks – and that’s what this blog is about. Today we’re sharing our experience adopting the supply-chain security framework SLSA, with the hopes that the lessons we learned will be helpful to you.
Cybersecurity Snapshot: CISA Says Midnight Blizzard Swiped U.S. Gov’t Emails During Microsoft Hack, Tells Fed Agencies To Take Immediate Action
April 12, 2024Check out CISA’s urgent call for federal agencies to protect themselves from Midnight Blizzard’s breach of Microsoft corporate emails. Plus, a new survey shows cybersecurity pros are guardedly optimistic about AI. Meanwhile, SANS pinpoints the four trends CISOs absolutely must focus on this year. And the NSA is sharing best practices for data security. And much more!
Operational Technology in the DoD: Ensuring a Secure and Efficient Power Grid
April 19, 2024In an evolving threat landscape, the DoD must make sure that its mission-critical operations don’t experience power outages.
Cybersecurity Snapshot: Cyber Agencies Offer Secure AI Tips, while Stanford Issues In-Depth AI Trends Analysis, Including of AI Security
April 19, 2024Check out recommendations for securing AI systems from the Five Eyes cybersecurity agencies. Plus, Stanford University offers a comprehensive review of AI trends. Meanwhile, a new open-source tool aims to simplify SBOM usage. And don’t miss the latest CIS Benchmarks updates. And much more!
Tenable and Thales Collaborate to Provide Cyber Defense Simulations to Better Secure Operational Technology Environments
April 18, 2024The heart of the Welsh Valleys is home to the Thales Ebbw Vale campus, a world-class facility jointly funded by the Welsh government as part of its regeneration program for the region. At the core of the facility is the Cyber Range, a simulation and virtualization platform for training, testing, exercising and R&D. Tenable has joined the lineup of solutions used to run real world simulations in this controlled environment.
- Vulnerability Management