Often claimed as a worst-case scenario, a container breakout vulnerability has been discovered in RunC, the universal container runtime used by Docker, Kubernetes and other containerization systems. Further research has discovered that a similar version of the same vulnerability affects the LXC and Apache Mesos packages. Identified as CVE-2019-5736, this vulnerability grants root access to host systems running all of the most popular containerization technologies. A container breakout occurs when a malicious Docker image or container exploits a vulnerability in order to achieve a level of access on the host system. While extremely rare, it has been years since a container breakout vulnerability has been disclosed in a core component of Docker – that streak has now ended. This vulnerability allows a container to overwrite the RunC binary and gain root level code execution access with minimal user interaction. This vulnerability can be exploited in the following ways:
- Creating a new container based on a malicious attacker controlled image
- Attaching to an existing container which an attacker had previous write access to
Since a large portion of containers are based on images created by third-parties, it is vital to patch systems immediately as most users will have exposure to images and containers created by unknown parties. Patches are already available in the upstream RunC project, and are being distributed by all major operating system vendors All major cloud providers have some vulnerability to this attack, with varying degrees of exposure depending on the use of hosted services and cloud native operating systems. For instance, AWS advises users to launch new Elastic Container Service instances from the latest AMI and upgrade Fargate services. Google notes that Ubuntu-based Kubernetes nodes are affected while nodes running COS are not. As many different products are affected, check with your operating system vendors and cloud providers to ensure you are up-to-date with all security patches. Along with patching, this vulnerability can be mitigated by correct use of user namespaces, where the root user within the container is not mapped to the root user on the host system. This mitigation along with additional container-based security practices should be used to protect against not container breakouts such as CVE-2019-5736, but also other container based attacks.
