Earlier this week security researchers Adam Iwaniuk and Borys Poplawski published details on a vulnerability in runC, the underlying container runtime for Docker, Kubernetes, cri-o, containerd, and other container-dependent programs. The vulnerability, CVE-2019-5736 allows malicious containers to overwrite the host runC binary and gain root-level code execution on the host. This would give attackers the ability to run any command as a root-level user including the ability to create new containers using an attacker-controlled image or attach executables into an existing container that they have write access to.
A patch has been issued for CVE-2019-5736, and all users should update to the latest version of all their container management programs as soon as possible.
This vulnerability undercuts one of the biggest benefits of containers — isolation. By allowing attackers to break out of a container and gain access to the host, attackers can leverage root-level permissions and compromise every container under the same host. The danger of this vulnerability is that it was found in the backbone of the container ecosystem and had wide-reaching implications across many of the most popular container-dependent programs.
This type of vulnerability has always been a possibility, which is why Threat Stack has focused on behavior based detection that doesn’t rely on signatures to identify attacks leveraging unknown vulnerabilities. This is also another example of the importance of proper cybersecurity hygiene to proactively defend against possible vulnerabilities. The CIS Docker Ruleset (pre-built into the Threat Stack Cloud Security Platform®) promotes good security practices that, if followed, would have prevented this exploit in the first place. In this case, it was the correct use of user namespaces that would have mitigated this vulnerability.
We have confirmed that our customers would have detected and been able to mitigate an attack using this vulnerability. Based on a publicly available proof-of-concept, using the Threat Stack Cloud Security Platform’s File Integrity Monitoring (FIM) and behavioral analysis, customers would have identified the modification of both the container’s “/bin/sh” and the host’s “/usr/bin/docker-runc.” We also would have notified customers of the outbound network connection from the host for the reverse shell.
CVE-2019-5736 is a serious container vulnerability, and all users should deploy the patch/updates as soon as possible. However, this also highlights the importance of proper security hygiene that is capable of detecting unknown attack vectors in cloud and container infrastructure. There will always be vulnerabilities in both specific container platforms and the underlying infrastructure. Organizations should focus on deploying solutions capable of detecting suspicious activity and not solely rely on attack signatures to protect themselves against similar vulnerabilities in the future.