SUSE Linux senior software engineer Aleksa Sarai has disclosed a security vulnerability affecting runc, the default container runtime for Docker and Kubernetes.
The vulnerability, designated CVE-2019-5736, can be used to attack any host system running containers.
The flaw allows a malicious container to overwrite the host runc binary and thus gain root-level code execution on the host.
“The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these
contexts: creating a new container using an attacker-controlled image and attaching (docker exec) into an existing container which the attacker had previous write access to,” Sarai explained in a post to the OpenWall mailing list.
“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents,” said Scott McCarty, principal product manager for containers at Red Hat, in a blog post.
The issue affects a number of open-source container management systems; one of them being Amazon Web Services.
Sarai has published a patch to fix the issue. Know more details here.