Language Selection

English French German Italian Portuguese Spanish

Security: Apple, 'Cloud', Containers and More FUD

Filed under

Container flaw: original message about the security patch

  • CVE-2019-5736: runc container breakout


    I am one of the maintainers of runc (the underlying container runtime
    underneath Docker, cri-o, containerd, Kubernetes, and so on). We
    recently had a vulnerability reported which we have verified and have a
    patch for.

    The researchers who found this vulnerability are:
    * Adam Iwaniuk
    * Borys Popławski

    In addition, Aleksa Sarai (me) discovered that LXC was also vulnerable
    to a more convoluted version of this flaw.

    == OVERVIEW ==

    The vulnerability allows a malicious container to (with minimal user
    interaction) overwrite the host runc binary and thus gain root-level
    code execution on the host. The level of user interaction is being able
    to run any command (it doesn't matter if the command is not
    attacker-controlled) as root within a container in either of these

    * Creating a new container using an attacker-controlled image.
    * Attaching (docker exec) into an existing container which the
    attacker had previous write access to.

    This vulnerability is *not* blocked by the default AppArmor policy, nor
    by the default SELinux policy on Fedora[++] (because container processes
    appear to be running as container_runtime_t). However, it *is* blocked
    through correct use of user namespaces (where the host root is not
    mapped into the container's user namespace).

    Our CVSSv3 vector is (with a score of 7.2):


    The assigned CVE for this issue is CVE-2019-5736.

    [++]: This is only the case for the "moby-engine" package on Fedora. The
    "docker" package as well as podman are protected against this
    exploit because they run container processes as container_t.

    == PATCHES ==

    I have attached the relevant patch which fixes this issue. This patch is
    based on HEAD, but the code in libcontainer/nsenter/ changes so
    infrequently that it should apply cleanly to any old version of the runc
    codebase you are dealing with.

    Please note that the patch I have pushed to runc master[1] is a modified
    version of this patch -- even though it is functionally identical
    (though we would recommend using the upstream one if you haven't patched
    using the attached one already).


    Several vendors have asked for exploit code to ensure that the patches
    actually solve the issue. Due to the severity of the issue (especially
    for public cloud vendors), we decided to provide the attached exploit
    code. This exploit code was written by me, and is more generic than the
    original exploit code provided by the researchers and works against LXC
    (it could likely be used on other vulnerable runtimes with no
    significant modification). Details on how to use the exploit code are
    provided in the README.

    As per OpenWall rules, this exploit code will be published *publicly* 7
    days after the CRD (which is 2019-02-18). *If you have a container
    runtime, please verify that you are not vulnerable to this issue


    It should be noted that upon further investigation I've discovered that
    LXC has a similar vulnerability, and they have also pushed a similar
    patch[2] which we co-developed. LXC is a bit harder to exploit, but the
    same fundamental flaw exists.

    After some discussion with the systemd-nspawn folks, it appears that
    they aren't vulnerable (because their method of attaching to a container
    uses a different method to LXC and runc).

    I have been contacted by folks from Apache Mesos who said they were also
    vulnerable (I believe just using the exploit code that will be
    provided). It is quite likely that most container runtimes are
    vulnerable to this flaw, unless they took very strange mitigations

    == OTHER NEWS ==

    We have set up an announcement list for future security vulnerabilities,
    and you can see the process for joining here[3] (it's based on the
    Kubernetes security-announce mailing list). Please join if you
    distribute any container runtimes that depend on runc (or other OCI


    Aleksa Sarai

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

More in Tux Machines

Five reasons Chromebooks are better than Windows laptops

Today, Windows users hold off for as long as possible before "updating" their PCs. Chrome OS users, on the other hand, have their systems updated every six weeks without a hitch. And, I might add, these updates take a minute or two instead of an hour or two. Chrome OS is also more secure than Windows. WIndows security violations pop up every blessed month. Sure, Chrome OS has had security holes, but I can't think of one that's been significantly exploited. Want a nightmare? Try migrating from an old Windows PC to a new one. Even if you're jumping from Windows 10 to Windows 10, there are no easy ways to do it. If you have a Microsoft account, rather than a local account, you must manually move your local files from third-party programs such as Photoshop On Chrome OS, you log in to your new Chromebook and -- ta-da! -- you're back in business. No fuss, no muss. Read more

Programming: Joget Operator, Python, LibreOffice, GNOME and KDE

  • Automating Low Code App Deployment on Red Hat OpenShift with the Joget Operator

    This is a guest post by Julian Khoo, VP Product Development and Co-Founder at Joget Inc. Julian has almost 20 years of experience in the IT industry, specifically in enterprise software development. He has been involved in the development of various products and platforms in application development, workflow management, content management, collaboration and e-commerce.

  • Python Histogram Plotting: NumPy, Matplotlib, Pandas & Seaborn

    In this course, you’ll be equipped to make production-quality, presentation-ready Python histogram plots with a range of choices and features. If you have introductory to intermediate knowledge in Python and statistics, then you can use this article as a one-stop shop for building and plotting histograms in Python using libraries from its scientific stack, including NumPy, Matplotlib, Pandas, and Seaborn.

  • PyCon 2020 Conference Site is here!

    Our bold design includes the Roberto Clemente Bridge, also known as the Sixth Street Bridge, which spans the Allegheny River in downtown Pittsburgh. The Pittsburgh Steelmark, was originally created for United States Steel Corporation to promote the attributes of steel: yellow lightens your work; orange brightens your leisure; and blue widens your world. The PPG Building, is a complex in downtown Pittsburgh, consisting of six buildings within three city blocks and five and a half acres. Named for its anchor tenant, PPG Industries, who initiated the project for its headquarters, the buildings are all of matching glass design consisting of 19,750 pieces of glass. Also included in the design are a fun snake, terminal window, and hardware related items. [...] As with any sponsorship, the benefits go both ways. Organizations have many options for sponsorship packages, and they all benefit from exposure to an ever growing audience of Python programmers, from those just getting started to 20 year veterans and every walk of life in between. If you're hiring, the Job Fair puts your organization within reach of a few thousand dedicated people who came to PyCon looking to sharpen their skills.

  • PyCoder’s Weekly: Issue #382 (Aug. 20, 2019)
  • Python Qt5 - the QTimer class.
  • [LibreOffice GSoC] Week 12 Report

    It was The last week of GSoC program. Raal was working on testing all the project and the generated files and I help him by solving some bugs or add anything.

  • Sajeer Ahamed: Review | GSoC 2019

    I've been working on GStreamer based project of Gnome Foundation. GStreamer is a pipeline-based multimedia framework that links together a wide variety of media processing systems to complete complex workflows. The framework is based on plugins that will provide various codec and other functionality. The plugins can be linked and arranged in a pipeline. And most of the plugins are written in C. Now the developers are in an attempt to convert them to Rust which is more robust and easily maintainable. My task is to be a part of this conversion and to help fix issues related to this.

  • KDE's Onboarding Sprint: Making it easier to setup a development environment

    Suse were generous enough to offer two spacious and fully equipped offices at their headquarters to host the KDE sprints. We owe a special thanks and a big KDE hug to the OpenSuse team and in particular Douglas DeMaio and Fabian Vogt for being incredible hosts.

  • Third month progress

    I am here presenting you with my final month GSoC project report. I will be providing the links to my work at the end of the section. Final month of the work period was much more hectic and tiring than the first couple of months. I had been busy more than I had anticipated. Nonetheless, I had to write code which I enjoyed writing : ) . In the first half of this work period, I was focused on completing the left-over QDBus communication from the phase 2, which I did successfully. But as when I thought my task was all over, I was faced with some regression in the code, which I utilised my rest half a month to fix it. [...] As I had said above in the intro, I was faced with some real difficulty during the second half of the work period. As soon as I finished up QDBus thing, a regression was caused (Which I should have noticed before, my bad), helper was no longer started by the main application. I spent rest of the days brain-storming the issue but due to shortage of time, could not fix it. I plan to try fixing it in the next few days before GSoC ends(26th August), if I successfully do that, I will update the status here as well .

Games: Steam Play/Proton, GNU/Linux on Xbox, and UnderMine

  • CodeWeavers Reflects On The Wild Year Since Valve Introduced Steam Play / Proton

    This week marks one year since Valve rolled out their Proton beta for Steam Play to allow Windows games to gracefully run on Linux via this Wine downstream catered for Steam Linux gaming. It's been crazy since then with all of Valve's continued work on open-source graphics drivers, adding the likes of FAudio and D9VK to Proton, continuing to fund DXVK development for faster Direct3D-over-Vulkan, and many other infrastructure improvements and more to allow more Windows games to run on Linux and to do so well and speedy.

  • Turn your Xbox console into a home PC with this guide

    If you’ve ever wondered if you can turn your Xbox into a PC, you came to the right place. Because the Xbox console has the same hardware specifications as some older computer desktops, you will be able to convert it to a fully functioning PC. Unfortunately, you will not be able to install Windows on your console, but you can use the Linux operating system. In this article you will find out what items you’re going to need in order to make this happen, and also the steps you need to follow to accomplish this.

  • Action-adventure roguelike UnderMine now available in Early Access

    UnderMine from developer Thorium is an action-adventure roguelike with a bit of RPG tossed in, it's now in Early Access with Linux support. [...] Featuring some gameplay elements found in the likes of The Binding of Isaac, you proceed further down the UnderMine, going room to room digging for treasure and taking down enemies. There's also some RPG style rogue-lite progression involved too, as you're able to find powerful items and upgrades as you explore to prepare you for further runs.

GNU Scientific Library 2.6 released

Version 2.6 of the GNU Scientific Library (GSL) is now available. GSL provides a large collection of routines for numerical computing in C. This release introduces major performance improvements to common linear algebra matrix factorizations, as well as numerous new features and bug fixes. The full NEWS file entry is appended below. The file details for this release are: The GSL project homepage is GSL is free software distributed under the GNU General Public License. Thanks to everyone who reported bugs and contributed improvements. Patrick Alken Read more