Exploit Code Published for Recent Container Escape Vulnerability

SecurityWeek | February 18, 2019

Exploit Code Published for Recent Container Escape Vulnerability
Proof-of-concept (PoC) code is now publicly available for a recently disclosed container escape vulnerability impacting popular cloud platforms, including AWS, Google Cloud, and numerous Linux distributions. The flaw was discovered last month in runc, a lightweight, portable container runtime used in most containers out there, including cri-o, containerd, Kubernetes, Podman, and others. Tracked as CVE-2019-5736, the vulnerability could be exploited with minimal user interaction to execute code on the host. One week after the security flaw was publicly disclosed, a Go implementation of the container escape was published on GitHub. The exploit requires root (uid 0) inside the container to work.  “An attacker would need to get command execution inside a container and start a malicious binary which would listen. When someone (attacker or victim) uses docker exec to get into the container, this will trigger the exploit which will allow code execution as root,” the code’s authors explain. The implementation basically overwrites runc on the host and ensures the system will no longer be able to run Docker containers. Those willing to give it a try should first backup either /usr/bin/docker-runc or /usr/bin/runc and also check /usr/sbin.  This, however, is only one of the exploitation scenarios the vulnerability makes possible. A second scenario involves the use of a malicious Docker image that triggers the exploit, without requiring to exec into the container.  Last week, Amazon and Google confirmed their products were impacted, as did Red Hat, Debian and Ubuntu. LXC was also found affected. Since then, VMware also confirmed that its products are impacted, and released patches to address the vulnerability in VMware Integrated OpenStack with Kubernetes (VIO-K), VMware PKS (PKS), VMware vCloud Director Container Service Extension (CSE), and vSphere Integrated Containers (VIC).

Spotlight

WHAT CAN BE DONE TO ADDRESS THE SHORTAGE. OF ICT PROFESSIONALS IN EUROPE? CA TECHNOLOGIES PRAGUE TECHNOLOGY CENTER.


Other News
AI APPLICATIONS

RavenPack Launches New Multilingual Artificial Intelligence (AI) Platform to Monitor Risks Globally

RavenPack | September 23, 2021

RavenPack, the leading provider of technology and insights for data-driven companies, has announced today the release of RavenPack Edge, a new AI platform that collects, reads, and analyzes billions of documents to help businesses better monitor and mitigate emerging risks. Capable of understanding content in 13 different languages, Edge can extract insights from all types of documents —from short news articles to complex legal filings. RavenPack Edge monitors any information published on over 12 million entities including public and private companies and organizations, key executives and political figures, and many other topics of interest. Every time one of these entit...

Read More

SOFTWARE

Gnani.ai Launches armour365™ Voice Biometrics Software Based on Patented Tech

Gnani.ai | September 22, 2021

Gnani.ai, a frontrunner in Conversational AI and voice security domain, today announced the launch of its home-grown Voice Biometrics software. Christened armour365™, the biometric solution boasts of path-breaking features to cater to new and emerging risks in fraud prevention and information security. armour365™ Voice Biometrics works on 300 plus proprietary audio features and comes with out-of-the-box integrations to multiple contact center software providers and messaging apps. The solution is equipped with top-of-the-line features like “anti-spoof layer,” “replay attack detection” and “one enrollment” to offer unparalleled se...

Read More

AI TECH

Deloitte Launches the Deloitte AI Academy to Advance Artificial Intelligence Proficiency for Business and Society

Deloitte | September 21, 2021

Deloitte today announced the launch of the Deloitte AI Academy™ which is designed to help bridge the technology talent gap by developing and re-skilling today's workforce with immersive training in the AI capabilities required for the digital economy. The Deloitte AI Academy will parallel Deloitte's Cyber and Cloud Institute development strategies, and demonstrate Deloitte's commitment to combine in-depth business knowledge with a mastery of technology to help its people and clients thrive in increasingly dynamic markets. The Deloitte AI Academy will provide a comprehensive learning experience, equipping practitioners with the skills needed to deliver AI proj...

Read More

AI TECH

New EMA Research Finds AI is Crucial to Modern Software Testing

Applitools | September 20, 2021

Applitools announced its inclusion in new research published by Enterprise Management Associates (EMA) entitled, "Disrupting the Economics of Software Testing Through AI." According to the report, Visual AI has the highest impact on software testing as compared to other available applications of AI technology in the market today. As the first ever in-depth research report on the impact of AI on automated testing, the report found organizations reliant upon traditional testing tools and techniques fail to scale to the needs of today's digital demands and are quickly falling behind their competitors. The report identifies critical factors that hinder software engin...

Read More

Spotlight

WHAT CAN BE DONE TO ADDRESS THE SHORTAGE. OF ICT PROFESSIONALS IN EUROPE? CA TECHNOLOGIES PRAGUE TECHNOLOGY CENTER.

Resources

Events