Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

PoC Exploit Code for recent container escape flaw in runc published online

The Proof-of-concept (PoC) exploit code for a recently discovered vulnerability in runc tracked as CVE-2019-5736 is now publicly available. Last week, Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, disclosed a serious vulnerability tracked CVE-2019-5736 affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O. The vulnerability was discovered by the security researchers Adam Iwaniuk and Borys […]

runc PoC code

The Proof-of-concept (PoC) exploit code for a recently discovered vulnerability in runc tracked as CVE-2019-5736 is now publicly available.

Last week, Aleksa Sarai, a senior software engineer at SUSE Linux GmbH, disclosed a serious vulnerability tracked CVE-2019-5736 affecting runc, the default container runtime for Docker, containerd, Podman, and CRI-O.

The vulnerability was discovered by the security researchers Adam Iwaniuk and Borys Popławski.

Such kind of vulnerabilities could have a significant impact on an IT environment, its exploitation could potentially escape containment, impacting the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it

The flaw could affect popular cloud platforms, including AWS, Google Cloud, and several Linux distros.

The PoC exploit code for the container escape was published on GitHub, its execution requires root (uid 0) inside the container. 

“This is a Go implementation of CVE-2019-5736, a container escape for Docker. The exploit works by overwriting and executing the host systems runc binary from within the container. ” states the author of the code on Github.

“An attacker would need to get command execution inside a container and start a malicious binary which would listen. When someone (attacker or victim) uses docker exec to get into the container, this will trigger the exploit which will allow code execution as root,”

runc PoC code

The PoC code allows a malicious container to (with minimal user interaction) to overwrite the host runc binary and gain root-level code execution on the host.

The implementation ensures the system will no longer be able to run Docker containers.

you will overwrite your implementation of runc which will ensure your system will no longer be able to run Docker containers. Please backup either /usr/bin/docker-runc or /usr/bin/runc (depending on which you have; also check /usr/sbin).” contin

The expert pointed out that there is a second scenario for the exploitation of the flaw, it involves the use of a malicious Docker image that triggers the exploit, without requiring to exec into the container. 

Docker released the v18.09.2 version to address the issue, but according to the experts, thousands of Docker daemons exposed online are still vulnerable, most of them in the US and China.

Default configurations of Red Hat Enterprise Linux and Red Hat OpenShift are protected, Linux distros Debian and Ubuntu are working to address the issue. Both Google Cloud and AWS published security advisories to recommend customers to update containers on affected services.

VMware also confirmed that its products are impacted, and released patches to address the vulnerability in VMware Integrated OpenStack with Kubernetes (VIO-K), VMware PKS (PKS), VMware vCloud Director Container Service Extension (CSE), and vSphere Integrated Containers (VIC). 

“VMware product updates resolve mishandled file descriptor vulnerability in runc container runtime. Successful exploitation of this issue may allow a malicious container to overwrite the contents of a host’s runc binary and execute arbitrary code,” reads the advisory published by VMware.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – runc, hacking)

[adrotate banner="5"]

[adrotate banner=”13″]