A dangerous vulnerability is lurking in the code that underpins Docker, Kubernetes, and many other container platforms, a bug that could allow an attacker to get root access to the host machine on which a container is running.
The vulnerability is in runC, the container runtime that Docker developed and spun out as an open-source tool several years ago as part of the foundation of the Open Container Initiative. The runC runtime is used not only by Docker, but by Kubernetes and other container engines. An attacker who is able to exploit the vulnerability would have unfettered access to a target host machine.
“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: Creating a new container using an attacker-controlled image. Attaching (docker exec) into an existing container which the attacker had previous write access to,” the advisory from Aleksa Sarai, one of the maintainers of runC, says.
“This vulnerability is not blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora (because container processes appear to be running as container_runtime_t). However, it is blocked through correct use of user namespaces (where the host root is not mapped into the container's user namespace).”
Enterprises use container platforms such as Docker or Kubernetes to help accelerate and automate application development and deployment. Many cloud providers offer hosted versions of container platforms, as well.
Sarai has pushed a patch for the vulnerability to the runC master repository, and the affected vendors are expected to release their own fixes soon. The advisory on the vulnerability was published today and proof-of-concept exploit code has been developed and will be published on Feb. 18. Sarai said he discovered a similar vulnerability in LXC, the Linux virtualization system, and the maintainers of LXC have pushed a fix for it, as well.
“Several vendors have asked for exploit code to ensure that the patches actually solve the issue. Due to the severity of the issue (especially for public cloud vendors), we decided to provide the attached exploit code. This exploit code was written by me, and is more generic than the original exploit code provided by the researchers and works against LXC (it could likely be used on other vulnerable runtimes with no significant modification),” Sarai said in the advisory.
A Docker security engineer, Justin Cormack, said on Twitter Monday morning that Docker is planning an update to fix this vulnerability “imminently.”