Bugzilla – Bug 1121967
VUL-0: CVE-2019-5736: docker-runc: container breakout vulnerability
Last modified: 2024-07-22 13:50:25 UTC
I'm opening this bug on request of Aleksa Sarai. --- CVE-2019-5736 Hiya, I've gotten CVE-2019-5736 assigned. It's a runc container breakout vulnerability, and I've been working on a patch to fix it. Can you set up a BSC so I can include the patch files? It's still under embargo, and we're waiting on Docker to tell us when would be convenient for them. Thanks. --- References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-5736
The core vulnerability is effectively that a container can cause the container runtime binary to be executed within container (thus allowing malicious shared libraries to be loaded). This allows for the *host* container runtime binary to be replaced with a malicious version, thus giving root-level RCE access. The attack requires some interaction with the malicious container, but it's quite minimal (you can replace /bin/bash, so a trivial "docker exec" will trigger the bug). This vulnerability is not effective under user namespaces (because the container root doesn't have permissions to overwrite the host binary). It is not blocked by the default AppArmor profile (it might be blocked under SELinux though). I will attach a reproducer as well as the patches (which have been LGTM'd by upstream). We are still working on a CRD (it's a bit complicated because cloud vendors have to update too). I have also discovered that LXC is vulnerable to the same bug (though the exploit is a bit more complicated, due to some practical considerations with how lxc-attach works).
Sorry, I forgot to mention that my quick CVSSv3 estimate is 7.0: AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H/E:F/RL:X/RC:C
CRD: 2019-02-11 This may still change, depending on feedback from other vendors.
Created attachment 795470 [details] 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch I have developed an updated form of the patch. It's functionally identical to the one sent out to everyone else, with just a few niceness fixes (this is the version I will push to runc upstream when the embargo lifts).
CRD: 2019-02-11 15:00CET
Created attachment 796192 [details] 0001-nsenter-clone-proc-self-exe-to-avoid-exposing-host-b.patch This contains an O_TMPFILE fallback for SLE12 which is necessary for builds to work.
is public via oss-security. From: Aleksa Sarai <cyphar@cyphar.com> Date: Tue, 12 Feb 2019 00:05:20 +1100 Subject: [security@suse.de] CVE-2019-5736: runc container breakout (all versions) [[ Patch CRD: 2019-02-11 15:00 CET ]] [[ Exploit Code CRD: 2019-02-18 15:00 CET ]] Hello, I am one of the maintainers of runc (the underlying container runtime underneath Docker, cri-o, containerd, Kubernetes, and so on). We recently had a vulnerability reported which we have verified and have a patch for. The researchers who found this vulnerability are: * Adam Iwaniuk * Borys Popławski In addition, Aleksa Sarai (me) discovered that LXC was also vulnerable to a more convoluted version of this flaw. == OVERVIEW == The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host. The level of user interaction is being able to run any command (it doesn't matter if the command is not attacker-controlled) as root within a container in either of these contexts: * Creating a new container using an attacker-controlled image. * Attaching (docker exec) into an existing container which the attacker had previous write access to. This vulnerability is *not* blocked by the default AppArmor policy, nor by the default SELinux policy on Fedora[++] (because container processes appear to be running as container_runtime_t). However, it *is* blocked through correct use of user namespaces (where the host root is not mapped into the container's user namespace). Our CVSSv3 vector is (with a score of 7.2): AV:L/AC:H/PR:L/UI:R/S:C/C:N/I:H/A:H The assigned CVE for this issue is CVE-2019-5736. [++]: This is only the case for the "moby-engine" package on Fedora. The "docker" package as well as podman are protected against this exploit because they run container processes as container_t. == PATCHES == I have attached the relevant patch which fixes this issue. This patch is based on HEAD, but the code in libcontainer/nsenter/ changes so infrequently that it should apply cleanly to any old version of the runc codebase you are dealing with. Please note that the patch I have pushed to runc master[1] is a modified version of this patch -- even though it is functionally identical (though we would recommend using the upstream one if you haven't patched using the attached one already). == NON-ESSENTIAL EXPLOIT CODE == Several vendors have asked for exploit code to ensure that the patches actually solve the issue. Due to the severity of the issue (especially for public cloud vendors), we decided to provide the attached exploit code. This exploit code was written by me, and is more generic than the original exploit code provided by the researchers and works against LXC (it could likely be used on other vulnerable runtimes with no significant modification). Details on how to use the exploit code are provided in the README. As per OpenWall rules, this exploit code will be published *publicly* 7 days after the CRD (which is 2019-02-18). *If you have a container runtime, please verify that you are not vulnerable to this issue beforehand.* == IMPACT ON OTHER PROJECTS == It should be noted that upon further investigation I've discovered that LXC has a similar vulnerability, and they have also pushed a similar patch[2] which we co-developed. LXC is a bit harder to exploit, but the same fundamental flaw exists. After some discussion with the systemd-nspawn folks, it appears that they aren't vulnerable (because their method of attaching to a container uses a different method to LXC and runc). I have been contacted by folks from Apache Mesos who said they were also vulnerable (I believe just using the exploit code that will be provided). It is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations before-hand. == OTHER NEWS == We have set up an announcement list for future security vulnerabilities, and you can see the process for joining here[3] (it's based on the Kubernetes security-announce mailing list). Please join if you distribute any container runtimes that depend on runc (or other OCI projects). [1]: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef398405813ce8e88558b [2]: https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d [3]: https://github.com/opencontainers/org/blob/master/security.md -- Aleksa Sarai Senior Software Engineer (Containers) SUSE Linux GmbH <https://www.cyphar.com/>
This is an autogenerated message for OBS integration: This bug (1121967) was mentioned in https://build.opensuse.org/request/show/673383 Factory / docker-runc
Is there any eta when runc will be patched in Factory/Tumbleweed/Kubic/Leap and Packagehub, all of which appear to be affected?
This is an autogenerated message for OBS integration: This bug (1121967) was mentioned in https://build.opensuse.org/request/show/674127 Backports:SLE-15 / runc https://build.opensuse.org/request/show/674128 15.0 / runc https://build.opensuse.org/request/show/674132 15.1 / runc
SUSE-SU-2019:0337-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1121967 CVE References: CVE-2019-5736 Sources used: SUSE CaaS Platform 3.0 (src): runc-1.0.0~rc5-3.6.1
SUSE-SU-2019:0362-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1121967 CVE References: CVE-2019-5736 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1 SUSE Linux Enterprise Module for Containers 15 (src): docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-6.9.1
openSUSE-SU-2019:0170-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1095817,1118897,1118898,1118899,1121967 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Sources used: openSUSE Backports SLE-15 (src): runc-1.0.0~rc6-bp150.2.3.1
SUSE-SU-2019:0385-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1121967 CVE References: CVE-2019-5736 Sources used: SUSE OpenStack Cloud 6-LTSS (src): docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-1.9.1 SUSE Linux Enterprise Module for Containers 12 (src): docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-1.9.1 OpenStack Cloud Magnum Orchestration 7 (src): docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-1.9.1
openSUSE-SU-2019:0201-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1121967 CVE References: CVE-2019-5736 Sources used: openSUSE Leap 42.3 (src): docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-8.1, docker-runc-kubic-1.0.0rc5+gitr3562_69663f0bd4b6-8.1
openSUSE-SU-2019:0208-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1095817,1118897,1118898,1118899,1121967 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Sources used: openSUSE Leap 15.0 (src): runc-1.0.0~rc6-lp150.2.3.1
SUSE-SU-2019:0495-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): containerd-1.2.2-5.9.1, docker-18.09.1_ce-6.14.1, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-6.12.1, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-4.9.1 SUSE Linux Enterprise Module for Containers 15 (src): containerd-1.2.2-5.9.1, docker-18.09.1_ce-6.14.1, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-6.12.1, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-4.9.1
openSUSE-SU-2019:0252-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1121967 CVE References: CVE-2019-5736 Sources used: openSUSE Leap 15.0 (src): docker-runc-1.0.0rc5+gitr3562_69663f0bd4b6-lp150.5.7.1
openSUSE-SU-2019:0295-1: An update that solves four vulnerabilities and has four fixes is now available. Category: security (important) Bug References: 1048046,1051429,1114832,1118897,1118898,1118899,1121967,1124308 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Sources used: openSUSE Leap 15.0 (src): containerd-1.2.2-lp150.4.10.1, docker-18.09.1_ce-lp150.5.13.1, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-lp150.5.14.1, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-lp150.3.10.1, runc-1.0.0~rc6-lp150.2.7.1
SUSE-SU-2019:0573-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1001161,1048046,1051429,1112980,1114832,1118897,1118898,1118899,1121412,1121967,1124308 CVE References: CVE-2016-9962,CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Sources used: SUSE OpenStack Cloud 6-LTSS (src): containerd-1.2.2-16.14.2, docker-18.09.1_ce-98.34.2, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-1.17.2, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-16.2 SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.2.2-16.14.2, docker-18.09.1_ce-98.34.2, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-1.17.2, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-16.2
openSUSE-SU-2019:1079-1: An update that solves four vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1001161,1048046,1051429,1112980,1114832,1118897,1118898,1118899,1121412,1121967,1124308 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736 Sources used: openSUSE Leap 42.3 (src): containerd-1.2.2-22.1, containerd-kubic-1.2.2-22.1, docker-18.09.1_ce-54.1, docker-kubic-18.09.1_ce-54.1, docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-11.1, docker-runc-kubic-1.0.0rc6+gitr3748_96ec2177ae84-11.1, golang-github-docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-11.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2711_2cfbf9b1f981-11.1 *** NOTE: This information is not intended to be used for external communication, because this may only be a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:1234-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 SUSE Linux Enterprise Module for Containers 15 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:1499-1: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: openSUSE Leap 15.0 (src): containerd-1.2.5-lp150.4.14.3, docker-18.09.6_ce-lp150.5.17.2, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-lp150.5.21.2, go-1.12-lp150.2.11.1, go1.11-1.11.9-lp150.9.3, go1.12-1.12.4-lp150.2.2, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-lp150.3.14.1
SUSE-SU-2019:1234-2: An update that solves 5 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 1114209,1114832,1118897,1118898,1118899,1121397,1121967,1123013,1128376,1128746,1134068 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-5736,CVE-2019-6486 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, go-1.12-3.10.1, go1.11-1.11.9-1.12.1, go1.12-1.12.4-1.9.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 SUSE Linux Enterprise Module for Containers 15-SP1 (src): containerd-1.2.5-5.13.1, docker-18.09.6_ce-6.17.1, docker-runc-1.0.0rc6+gitr3804_2b18fe1d885e-6.18.1, golang-github-docker-libnetwork-0.7.0.1+gitr2726_872f0a83c98a-4.12.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2117-1: An update that solves four vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409 CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 Sources used: SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): containerd-1.2.6-5.16.1, containerd-kubic-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-kubic-19.03.1_ce-6.26.2, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1 SUSE Linux Enterprise Module for Containers 15-SP1 (src): containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1 SUSE Linux Enterprise Module for Containers 15 (src): containerd-1.2.6-5.16.1, docker-19.03.1_ce-6.26.2, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-6.21.2, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-4.15.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2019:2119-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1100331,1121967,1142160,1142413,1143409 CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 Sources used: SUSE OpenStack Cloud 6-LTSS (src): containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.2.6-16.23.1, docker-19.03.1_ce-98.46.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 SUSE CaaS Platform 3.0 (src): containerd-kubic-1.2.6-16.23.1, docker-kubic-19.03.1_ce-98.46.1, docker-runc-kubic-1.0.0rc8+gitr3826_425e105d5a03-1.29.1, golang-github-docker-libnetwork-kubic-0.7.0.1+gitr2800_fc5a7d91d54c-25.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2019:2021-1: An update that solves four vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 1100331,1121967,1138920,1139649,1142160,1142413,1143409 CVE References: CVE-2018-10892,CVE-2019-13509,CVE-2019-14271,CVE-2019-5736 Sources used: openSUSE Leap 15.1 (src): containerd-1.2.6-lp151.2.6.1, docker-19.03.1_ce-lp151.2.12.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp151.3.6.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp151.2.6.1 openSUSE Leap 15.0 (src): containerd-1.2.6-lp150.4.17.1, docker-19.03.1_ce-lp150.5.27.1, docker-runc-1.0.0rc8+gitr3826_425e105d5a03-lp150.5.25.1, golang-github-docker-libnetwork-0.7.0.1+gitr2800_fc5a7d91d54c-lp150.3.18.1
This has been fixed for a long time.
SUSE-SU-2021:1458-1: An update that solves 9 vulnerabilities and has 23 fixes is now available. Category: security (important) Bug References: 1028638,1034053,1048046,1051429,1053532,1095817,1118897,1118898,1118899,1121967,1131314,1131553,1149954,1152308,1160452,1168481,1175081,1175821,1181594,1181641,1181677,1181730,1181732,1181749,1182451,1182476,1182947,1183024,1183397,1183855,1184768,1184962 CVE References: CVE-2018-16873,CVE-2018-16874,CVE-2018-16875,CVE-2019-16884,CVE-2019-19921,CVE-2019-5736,CVE-2021-21284,CVE-2021-21285,CVE-2021-21334 JIRA References: Sources used: SUSE Linux Enterprise Module for Containers 12 (src): containerd-1.4.4-16.38.1, docker-20.10.6_ce-98.66.1, runc-1.0.0~rc93-16.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.