A group of researchers yesterday announced CVE-2019-5736, a runc container breakout affecting container tools including Docker, Kubernetes, and containerd.
Why it matters: Because many people run containers as “root,” the exploitability here is pretty easy. However, it still requires some level of interaction:
- Starting from an attacker-controlled container
- “Exec” (in Docker) into a compromised container
LXC says, “As privileged containers are considered unsafe, we typically will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. We will however try to mitigate those issues so that accidental damage to the host is prevented.”
Here’s the thing: “Privileged container” can mean different things to different people, and the one meaning relevant to this bug isn’t the type that one might assume from LXC’s post. CVE-2019-5736 only requires root in the container, rather than the container having a –privileged flag or equivalent.
The bottom line: Don’t dismiss the required interaction by the attacker, because orchestration tools may automatically exec into containers. Make sure you know the source of your images and don’t run random containers off the internet (as much as the white van labeled “candy” is tempting!). As an extra step, try to watch for writes to protected files (like runc) or files outside of the container — as Jess Frazelle says, “Any file that is touched that is outside the scope of the given container should have the container killed and alerted on.”
The Capsule8 Labs team conducts offensive and defensive research to understand the threat landscape for modern infrastructure and to continuously improve Capsule8’s attack coverage.
Kelly Shortridge is currently VP of Product Strategy at Capsule8. In her spare time, she researches applications of behavioral economics to information security, on which she’s spoken at conferences internationally, including Black Hat, AusCERT, Hacktivity, Troopers, and ZeroNights.
Most recently, Kelly was the Product Manager for Analytics at SecurityScorecard. Previously, Kelly was the Product Manager for cross-platform detection capabilities at BAE Systems Applied Intelligence as well as co-founder and COO of IperLane, which was acquired. Prior to IperLane, Kelly was an investment banking analyst at Teneo Capital covering the data security and analytics sectors.