CVE-2019-5736 利用常見的 runc 容器二進位碼檔案逸出主機

CVE-2019-5736 allows for an escape to host attack in specific container configurations.

背景說明

A new vulnerability (CVE-2019-5736) was recently announced in runc, the runtime used by popular container platforms Docker and Kubernetes. The disclosure for this vulnerability details how a malicious container can escape its sandbox and execute arbitrary commands on the host. This attack does, however, come with some caveats, and isn’t exploitable in certain configurations that follow good security practices.

分析

In order to properly exploit this vulnerability, a malicious or compromised container would need to be deployed, and uid 0 would need to be mapped to that container. Docker has documentation for namespace configuration which, with proper application, prevents this attack from being exploitable on vulnerable hosts. The malicious container then either runs commands as root or piggybacks off an administrator running any other unrelated commands as root to exploit the host.

Many organizations use third-party prepackaged containers to solve business needs. An attacker could compromise one of these prepackaged containers with malicious code, or they could craft a malicious container that advertises itself as fulfilling some other needed enterprise function. This is the most likely way an external threat actor would be able to deploy a rogue container into an enterprise environment.

解決方法

Red Hat, Debian, Amazon Web Services (AWS), Google Cloud Platform (GCP), Docker, NVIDIA, and Kubernetes have published blogs or security advisories that include information about the vulnerability as well as the availability of security updates for this vulnerability. Building containers in a development environment, and scanning and securing them before production deployment will reduce the likelihood of inadvertently deploying malicious images. Also avoid using images running as root whenever possible to minimize risk.

The disclosure by the researchers includes the following mitigations:

• Setting SELinux to enforcing mode on containers prevents them from being able to overwrite the host runc binary (Note that researchers discovered that this does not work for Fedora based hosts.)
• If the host runc binary is set to read only, a malicious container wouldn’t be able to overwrite and exploit it.
• A low privileged user inside the container or a new user namespace with uid 0 mapped to that user removes write access to the runc binary on the host.

找出受影響的系統

A list of Nessus plugins to identify this vulnerability will appear here as they’re released.

取得更多資訊

• CVE-2019-5736
• Dragon Sector Disclosure
• Docker Namespace Documentation
• Linux Namespace Explanation
• Red Hat Update Information
• Debian Update Information
• Amazon/AWS Update Information
• Google Update Information
• Docker Update Information
• Nvidia Update Information
• Kubernetes Update Information

加入 Tenable Community 的 Tenable 安全回應團隊。

深入瞭解 Tenable，這是用於全面管理新型攻擊破綻的首創 Cyber Exposure 平台。

Get a free 60-day trial of Tenable.io Vulnerability Management.