Posts

CVE-2019-5736 – runC container breakout

A major vulnerability related to containers was released on Feb 12th. The vulnerability allows a malicious container that is running as root to break out into the hosting OS and gain administrative privileges.

Adam Iwanuik, one of the researchers who took part in the discovery shares in detail the different paths taken to discover this vulnerability.

The mitigations suggested as part of the research for unpatched systems are:

  1. Use Docker containers with SELinux enabled (–selinux-enabled). This prevents processes inside the container from overwriting the host docker-runc binary.
  2. Use read-only file system on the host, at least for storing the docker-runc binary.
  3. Use a low privileged user inside the container or a new user namespace with uid 0 mapped to that user (then that user should not have write access to runC binary on the host).

The first two suggestions are pretty straightforward but I would like to elaborate on the third one. It’s important to understand that Docker containers run as root by default unless stated otherwise. This does not explicitly mean that the container also has root access to the host OS but it’s the main prerequisite for this vulnerability to work.

To run a quick check whether your host is running any containers as root:


#!/bin/bash

# get all running docker container names
containers=$(docker ps | awk '{if(NR>1) print $NF}')

echo "List of containers running as root"

# loop through all containers
for container in $containers
do
    uid=$(docker inspect --format='{{json .Config.User}}' $container)
    if [ $uid = '"0"' ] ; then
        echo "Container name: $container"
    fi
done

In any case, as a best practice you should prevent your users from running containers as root. This can be enforced by existing controls of the common orchestration\management system. For example, OpenShift prevents users from running containers as root out of the box so your job here is basically done. However, in Kubernetes your can run as root by default but you can easily configure PodSecurityPolicy to prevent this as described here.

In order to fix this issue, you should patch the version of your container runtime. Whether you are just using a container runtime (docker) or some flavor of a container orchestration system (Kubernetes, Mesos, etc…) you should look up the instructions for your specific software version and OS.

How can Guardicore help?

Guardicore provides a network security solution for hybrid cloud environments that spans across multiple compute architectures, containers being one of them. Guardicore Centra is a holistic micro-segmentation solution that provides process-level visibility and enforcement of the traffic flows both for containers and VMs. This is extremely important in the case of this CVE, as the attack would originate from the host VM or a different container and not the original container in case of a malicious actor breaking out.

Guardicore can mitigate this risk by controlling which processes can actually communicate between the containers or VMs covered by the system.

Learn more about containers and cloud security

GuardiCore Expands Support for Docker Open Platform

Process-Level Visibility Between Containers Delivers More Granular Application Security Monitoring and Troubleshooting for “Dockerized” Applications

DockerCon Europe 2015, Barcelona, Spain – GuardiCore, a leader in internal data center security, today announced that it has expanded support for the Docker open platform for building, shipping and running distributed applications. In addition to providing advanced breach detection and response for “Dockerized” applications, GuardiCore has extended its support for Docker environments to deliver process-level visibility between any two containers, allowing security and devops teams to effectively secure, monitor, maintain and troubleshoot applications in a very granular manner. GuardiCore will be demonstrating its Docker support at Dockercon in the New Innovators Showcase. Read more

5 Key Takeaways from VMworld Barcelona

So, VMworld Europe just concluded last week and certainly there was a lot to talk about, from hybrid clouds, VMware’s acquisition of Boxer, Dell’s acquisition of EMC and how this affects VMware (it doesn’t according to Dell CEO Michael Dell), VMware CEO Pat Gelsinger’s keynote where he highlighted the five imperatives of the digital business and also called out of some enterprises for lack of agility (“Elephants must learn to dance”) and of course, security, which seemed to be integrated into almost every topic at the event.

Read more