Exploit Code Published for Recent Container Escape Vulnerability
SecurityWeek | February 18, 2019
Proof-of-concept (PoC) code is now publicly available for a recently disclosed container escape vulnerability impacting popular cloud platforms, including AWS, Google Cloud, and numerous Linux distributions. The flaw was discovered last month in runc, a lightweight, portable container runtime used in most containers out there, including cri-o, containerd, Kubernetes, Podman, and others. Tracked as CVE-2019-5736, the vulnerability could be exploited with minimal user interaction to execute code on the host. One week after the security flaw was publicly disclosed, a Go implementation of the container escape was published on GitHub. The exploit requires root (uid 0) inside the container to work. “An attacker would need to get command execution inside a container and start a malicious binary which would listen. When someone (attacker or victim) uses docker exec to get into the container, this will trigger the exploit which will allow code execution as root,” the code’s authors explain. The implementation basically overwrites runc on the host and ensures the system will no longer be able to run Docker containers. Those willing to give it a try should first backup either /usr/bin/docker-runc or /usr/bin/runc and also check /usr/sbin. This, however, is only one of the exploitation scenarios the vulnerability makes possible. A second scenario involves the use of a malicious Docker image that triggers the exploit, without requiring to exec into the container. Last week, Amazon and Google confirmed their products were impacted, as did Red Hat, Debian and Ubuntu. LXC was also found affected. Since then, VMware also confirmed that its products are impacted, and released patches to address the vulnerability in VMware Integrated OpenStack with Kubernetes (VIO-K), VMware PKS (PKS), VMware vCloud Director Container Service Extension (CSE), and vSphere Integrated Containers (VIC).