Bug 1664908 (CVE-2019-5736) - CVE-2019-5736 runc: Execution of malicious containers allows for container escape and access to host filesystem
Summary: CVE-2019-5736 runc: Execution of malicious containers allows for container es...
Status: NEW
Alias: CVE-2019-5736
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20190211:1322...
Keywords: Reopened, Security
Depends On: 1674489 1674492 1674493 1676714 1676734 1664954 1664955 1664956 1665326 1665327 1667290 1674488 1674490 1674491 1676798 1677075 1677076 1677077 1677078 1701273
Blocks: 1664909 1673431 1673432 1673433 1673434 1673435
TreeView+ depends on / blocked
 
Reported: 2019-01-10 02:11 UTC by Sam Fowler
Modified: 2019-05-17 09:46 UTC (History)
49 users (show)

(edit)
A flaw was found in the way runc handled system file descriptors when running containers. A malicious container could use this flaw to overwrite contents of the runc binary and consequently run arbitrary commands on the container host system.
Clone Of:
(edit)
Last Closed: 2019-03-05 04:44:35 UTC


Attachments (Terms of Use)
updates the vendored library needed for runc to access memfd_create (4.39 MB, patch)
2019-01-11 13:56 UTC, Vincent Batts
no flags Details | Diff
runc to use memfd_create (3.44 KB, patch)
2019-01-11 13:57 UTC, Vincent Batts
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0303 None None None 2019-02-11 14:39 UTC
Red Hat Product Errata RHSA-2019:0304 None None None 2019-02-11 14:44 UTC
Red Hat Product Errata RHSA-2019:0401 None None None 2019-02-25 22:46 UTC
Red Hat Product Errata RHSA-2019:0408 None None None 2019-02-26 09:42 UTC
Red Hat Product Errata RHSA-2019:0975 None None None 2019-05-07 04:19 UTC

Description Sam Fowler 2019-01-10 02:11:10 UTC
runc has a vulnerability in the usage of system file descriptors that allows for container escape and access to the host filesystem. An attacker can exploit this by convincing users to run malicious or modified containers on their systems.

Comment 4 Daniel Walsh 2019-01-10 13:15:06 UTC
Will write a nice blog on this when it goes public.

Comment 13 Vincent Batts 2019-01-11 13:56 UTC
Created attachment 1520029 [details]
updates the vendored library needed for runc to access memfd_create

Comment 14 Vincent Batts 2019-01-11 13:57 UTC
Created attachment 1520030 [details]
runc to use memfd_create

Comment 27 Jason Shepherd 2019-01-15 23:02:44 UTC
Acknowledgments:

Name: the Open Containers Security Team
Upstream: Adam Iwaniuk, Borys Popławski

Comment 57 Sam Fowler 2019-02-11 13:22:47 UTC
Created container-tools:2017.0/runc tracking bugs for this issue:

Affects: fedora-all [bug 1674489]


Created container-tools:2018.0/runc tracking bugs for this issue:

Affects: fedora-29 [bug 1674490]


Created docker tracking bugs for this issue:

Affects: fedora-all [bug 1674491]


Created lxc tracking bugs for this issue:

Affects: epel-all [bug 1674493]
Affects: fedora-all [bug 1674492]


Created runc tracking bugs for this issue:

Affects: fedora-all [bug 1674488]

Comment 61 errata-xmlrpc 2019-02-11 14:39:24 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0303 https://access.redhat.com/errata/RHSA-2019:0303

Comment 62 errata-xmlrpc 2019-02-11 14:44:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extras

Via RHSA-2019:0304 https://access.redhat.com/errata/RHSA-2019:0304

Comment 65 Sam Fowler 2019-02-12 01:40:58 UTC
Mitigation:

This vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. SELinux in enforcing mode is a pre-requisite for OpenShift Container Platform 3.x.

Comment 70 Sam Fowler 2019-02-13 09:33:17 UTC
Created docker-latest tracking bugs for this issue:

Affects: fedora-all [bug 1676798]

Comment 75 Fedora Update System 2019-02-19 05:53:46 UTC
moby-engine-18.06.0-2.ce.git0ffa825.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 76 Fedora Update System 2019-02-19 14:02:28 UTC
moby-engine-18.06.0-2.ce.git0ffa825.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.

Comment 77 errata-xmlrpc 2019-02-25 22:46:18 UTC
This issue has been addressed in the following products:

  Container Development Kit 3.7

Via RHSA-2019:0401 https://access.redhat.com/errata/RHSA-2019:0401

Comment 78 errata-xmlrpc 2019-02-26 09:42:52 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 3.4
  Red Hat OpenShift Container Platform 3.5
  Red Hat OpenShift Container Platform 3.6
  Red Hat OpenShift Container Platform 3.7

Via RHSA-2019:0408 https://access.redhat.com/errata/RHSA-2019:0408

Comment 79 Sam Fowler 2019-02-27 03:04:02 UTC
Statement:

The 'docker' package shipped in Red Hat Enterprise Linux 7 Extras bundles 'runc' since 'docker' starting from version 1.12. Both the 'docker' and 'runc' packages are affected by this issue.

The 'docker-latest' package is deprecated as of Red Hat Enterprise Linux 7.5. Customers using this package should update to the latest 'docker' package shipped in Red Hat Enterprise Linux 7 Extras.

OpenShift Container Platform (OCP) versions 3.9 and later use 'docker' version 1.13 in the default configuration but can be configured to use CRI-O as an alternative, which depends on the 'runc' package. OCP versions 3.9 and later should use the updated 'docker' and 'runc' packages shipped in Red Hat Enterprise Linux 7 Extras.

OCP versions 3.4 through 3.7 originally used 'docker' version 1.12 from the Red Hat Enterprise Linux 7 Extras channel. An updated version of 'docker' 1.12 has been delivered to the RPM channels for OCP versions 3.4 through 3.7.

OCP version 3.9 previously shipped a version of 'runc' in it's RPM repository. OCP 3.9 clusters using CRI-O should update 'runc' from the Red Hat Enterprise Linux 7 Extras channel.

Red Hat Enterprise Linux Atomic Host 7 is not affected by this vulnerability as the target runc binaries are stored on a read-only filesystem and cannot be overwritten.

Comment 80 errata-xmlrpc 2019-05-07 04:19:16 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:0975 https://access.redhat.com/errata/RHSA-2019:0975


Note You need to log in before you can comment on or make changes to this bug.