A Brief Review of CVE-2019-5736: runc Container Breakout

A group of researchers yesterday announced CVE-2019-5736, a runc container breakout affecting container tools including Docker, Kubernetes, and containerd.

Why it matters: Because many people run containers as “root,” the exploitability here is pretty easy. However, it still requires some level of interaction:

  • Starting from an attacker-controlled container
  • “Exec” (in Docker) into a compromised container

LXC says, “As privileged containers are considered unsafe, we typically will not consider new container escape exploits to be security issues worthy of a CVE and quick fix. We will however try to mitigate those issues so that accidental damage to the host is prevented.”

Here’s the thing: “Privileged container” can mean different things to different people, and the one meaning relevant to this bug isn’t the type that one might assume from LXC’s post. CVE-2019-5736 only requires root in the container, rather than the container having a –privileged flag or equivalent.

The bottom line: Don’t dismiss the required interaction by the attacker, because orchestration tools may automatically exec into containers. Make sure you know the source of your images and don’t run random containers off the internet (as much as the white van labeled “candy” is tempting!). As an extra step, try to watch for writes to protected files (like runc) or files outside of the container — as Jess Frazelle says, “Any file that is touched that is outside the scope of the given container should have the container killed and alerted on.”

The Capsule8 Labs team conducts offensive and defensive research to understand the threat landscape for modern infrastructure and to continuously improve Capsule8’s attack coverage.