New RunC Container Runtime Security Flaw Targets Kubernetes, Docker

A security vulnerability in Docker and Kubernetes containers disclosed Monday can be used to go after any host system running containers.

The vulnerability allows malicious containers to overwrite the host and gain root-level code execution on the host machine. The flaw affects runC, an open-source tool for spawning and running containers used by programs such as Docker, Kubernetes, containerd, Podman, and CRI-O.

The issue was disclosed to Aleksa Sarai, a SUSE container senior software engineer and a runC maintainer, and discovered by security researchers Adam Iwaniuk and Borys Poplawski.

[Related: The 10 Hottest Container Startups Of 2018]

"The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container," Sarai wrote.

In order to be executed, a threat actor has to place a malicious container within the user's system. System administrators sometimes use a container without verifying that the software within the container is actually what it claims to be.

This vulnerability could be a "doomsday scenario" due to the potential for a cascading set of exploits affected a wide range of interconnected production systems, according to a blog post by Scott McCarty, Red Hat's principal product manager for containers.

"Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it," McCarty wrote.

Sarai published a patch designed to fix the issue which triggers a container escape and allows attackers to access the host filesystem upon execution of a malicious container. In accordance with policy, Sarai said the exploit code she wrote will be published publicly next Monday (Feb. 18).

The issue affects several open-source container management system including Amazon Web Services. AWS said that, by the end of Monday, patches would be rolled out for all of its services except for older versions of AWS Fargate compute engine. Patched versions of Fargate Platform Versions 1.0, 1.1 and 1.2 will be made available by March 15, according to the company.

As far as Red Hat is concerned, the vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. Some system administrators, though, don't run SELinux since it can be challenging to maintain. Google and Docker have also updated their software, according to media reports.

The problem could additionally affect container systems using LXC and Apache Mesos container code, according to Sarai.