
A security vulnerability in Docker and Kubernetes containers disclosed Monday can be used to go after any host system running containers.
The vulnerability allows malicious containers to overwrite the host and gain root-level code execution on the host machine. The flaw affects runC, an open-source tool for spawning and running containers used by programs such as Docker, Kubernetes, containerd, Podman, and CRI-O.
The issue was disclosed to Aleksa Sarai, a SUSE container senior software engineer and a runC maintainer, and discovered by security researchers Adam Iwaniuk and Borys Poplawski.
[Related: The 10 Hottest Container Startups Of 2018]
"The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container," Sarai wrote.
In order to be executed, a threat actor has to place a malicious container within the user's system. System administrators sometimes use a container without verifying that the software within the container is actually what it claims to be.
This vulnerability could be a "doomsday scenario" due to the potential for a cascading set of exploits affected a wide range of interconnected production systems, according to a blog post by Scott McCarty, Red Hat's principal product manager for containers.
"Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it," McCarty wrote.
Sarai published a patch designed to fix the issue which triggers a container escape and allows attackers to access the host filesystem upon execution of a malicious container. In accordance with policy, Sarai said the exploit code she wrote will be published publicly next Monday (Feb. 18).
The issue affects several open-source container management system including Amazon Web Services. AWS said that, by the end of Monday, patches would be rolled out for all of its services except for older versions of AWS Fargate compute engine. Patched versions of Fargate Platform Versions 1.0, 1.1 and 1.2 will be made available by March 15, according to the company.
As far as Red Hat is concerned, the vulnerability is mitigated on Red Hat Enterprise Linux 7 if SELinux is in enforcing mode. Some system administrators, though, don't run SELinux since it can be challenging to maintain. Google and Docker have also updated their software, according to media reports.
The problem could additionally affect container systems using LXC and Apache Mesos container code, according to Sarai.
related stories
Video
trending stories
sponsored resources

Cysurance
Cyber Insurance 360

Tenable
Cyber Risk 360

Application Integration 360

Carbonite
Cloud Storage 360

NPD
Industry Trends 360

Veeam
Veeam

Comcast Business
Comcast Business Learning Center

Cato Networks
SASE & SD-WAN 360

CyberPower
CyberPower

Channel Chief Showcase

CRN Showcase

APC by Schneider Electric
Digital Services for Edge Learning Center

Dell Technologies
Dell Technologies Cloud Learning Center

Dell Technologies
Dell Technologies Server Learning Center

Dell Technologies
Dell Technologies Storage Learning Center

BlackBerry
BlackBerry Learning Center

Fujifilm
Fujifilm

Acer
Remote Workforce 360

Webroot
Webroot Learning Center

Cyber Protection 360

Cradlepoint
5g for Business 360

Smart 3rd Party
3rd Party Maintenance 360

Trend Micro
Trend Micro Learning Center

Sherweb
Sherweb

Vonage
Vonage

Vertiv
Edge Computing Learning Center

Comm100
Collaboration & Communications 360

VMware

EPOS
EPOS

Sophos
Sophos Cybersecurity Learning Center

Partner Program Guide Showcase

Dell Technologies
Microsoft HCI Solutions from Dell Technologies Learning Center

Hitachi Vantara
Hitachi Vantara

Terranova Security
Cybersecurity 360

eSentire
Managed Detection and Response 360

Wasabi
Wasabi

N-able
MSP Automation Solutions 360

iboss
Cloud SASE Platform 360
