CVE-2019-5736 - Vulnerable Docker runc Service

Description

runc is an Open Container Initiative (OCI) compliant runtime - a software component responsible for the creation, configuration and management of isolated Linux processes also called containers. runc is used by multiple products and programs such as Docker, Kubernetes, containerd, Podman and CRI-O and other container dependent programs.

The Docker Server listens on Port 2375/TCP.

Problem

In January 2019, a vulnerability was discovered, in runc, the OCI compliant runtime software component, which could allow an unauthenticated, remote attacker to escalate privileges on a targeted system, by two (2) Polish Cybersecurity researchers, Adam Iwaniuk and Borys Poplawski. On the 14th Feb 2019, CVE-2019-5736 was publicly disclosed.

Systems used for reporting and assessing the severity of security vulnerabilities

No.	System	Description
1.	Common Vulnerabilities and Exposures (CVE).	The CVE system is used to identify, define, catalogue and publicly disclosed known information-security vulnerabilities and exposures.
2.	The Common Vulnerability Scoring System (CVSS)	CVSS is a free and open industry standard for assessing the severity of computer system security vulnerabilities. It provides a numerical (0-10) representation of the severity of an information security vulnerability.

CVE Reports & CVSS Version 3.x Metrics - runc vulnerability

No.	CVE Report	CVSS Metrics	File Affected	Date Disclosed
1.	CVE-2019-5736	8.6	runc	11 Feb 2019
2.	CVE-2019-16884	7.5	runc	25 Sep 2019

CVE-2019-5736: runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows an attacker to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.

CVE-2019-16884: runc through 1.0.0-rc8, as used in Docker through 19.03.2-ce and other products, allows AppArmor restriction bypass because libcontainer/rootfs_linux.go incorrectly checks mount targets, and thus a malicious Docker image can mount over a /proc directory.

Background Information

Open Container Initiative (OCI)

The Open Container Initiative (OCI) is a lighweight, open governance structure (project), formed under the auspices of the Linux Foundation, for the express purpose of creating open industry standards around container formats and runtime. The OCI was launched on the 22nd June 2015 by Docker, CoreOS and other leaders in the container industry. Docker donated the container image specification and runtime code now known as runc, to the OCI in order to help establish standardisation in the container ecosystem. Container runtimes are often divided into two (2) categories - low-level (runc, gVisor, Firecracker) and high-level (containerd, Docker, CRI-O, podman). The difference between them is the amount of consumed OCI specification and additional features.

Linux Containers

A Linux container is a set of one (1) or more processes that are isolated from the rest of the operating system. All files necessary to run them are provided from a distinct image, ensuring that the linux containers are portable and consistent as they move from development, to testing and finally to production.

Containers share the same operating system kernel while isolating the application processes from the rest of the system however the container must be compatible with the underlying operating system. ARM Linux systems run on ARM Linux containers, x86 Linux systems run x86 Linux containers, x86 Windows systems run x86 Windows containers. Because all of the containers share the services of a single operating system kernel, they use fewer resources than virtual machines.

Docker

Docker Inc., was founded, in France, in 2008 by Kamel Founadi, Solomon Hykes and Selastien Pahl and incorporated in the United States in 2010.

The Docker container technology was launched, in 2013, as an open source Docker Engine. Docker is a set of of tools that use operating system-level virtualization to develop and deliver software in packages called containers. A container is a sandbox process on a machine that is isolated from all other processes on the host machine. The isolation of the process is achieved through the use of linux features such as linux kernel namespaces and cgroups.

Docker containers are isolated from each other, with their own software, libraries and configuration files. All containers are run by a single host operating system kernel and are thus more lightweight than virtual machines. They are instantiated from Docker images that specify their precise contents. Images can also be created by combining and modifying existing standard images downloaded from public repositories, known as image registries. An instance of an image (a container) thus contains configured networking, storage, logging, etc. Furthermore, Docker defines an abstraction for these machine-specific settings and the exact same Docker container can run without any changes on many different machines with many different configurations.

The Docker software as a service consist of three components, Software, Objects and Registries.

Docker Software

No.	Software	Description
1.	dockerd	This is the Docker daemon which is a persistent process that manages the Docker containers. The daemon listens for Docker requests sent via the Docker Engine Application Programming Interface (API).
2.	docker	This is the Docker client program that provides a command-line interface (CLI), that allows Docker users to interact with the Docker daemons.

Docker Objects

No.	Objects	Description
1.	Docker Container	This is a standardised, encapsulated environment that runs applications. A container is managed using the Docker API.
2.	Docker Image	This is a read-only template used to build containers. Images are used to store and ship applications.
3.	Docker Service	This allows containers to be scaled across multiple Docker daemons. A Docker Swarm is a group of either physical or virtual machines that are running the Docker application and that have been configured to join together in a cluster.

Docker Registries

No.	Registry	Description
1.	Registries	A Docker registry is a repository for Docker images. Docker clients connect to registries to download images for use of or upload images that have been built. Registries can be public or private. Two main public registries are Docker Hub, which is the default registry where Docker looks for images, and Docker Cloud.

The Docker container technology uses two (2) features of Linux to isolate their container process from all other processes on the host machine.

Linux features used by Docker container technology

No.	Feature	Description
1.	Namespace	Namespaces are a feature of the Linux kernel since 2002 that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources. Examples of resources are process IDs, hostnames, files, usernames, network access names, and inter-process communications.
2.	cgroups	A control group (cgroup) is a Linux kernel feature that limits, accounts for, and isolates the resource usage (CPU, memory, network, disk I/O) of a collection of processes. cgroups are used to control how much of a given key resource (CPU, memory, network, and disk I/O) can be accessed or used by a process or set of processes.

Difference between Virtual Machines and Containers

Virtual machines and containers have similar resource isolation and allocation benefits, but containers virtualize the operating system whereas virtual machines virtualize hardware. Each Virtual Machine includes a full copy of an operating system, the application, necessary binaries and libraries. Therefore, containers are more portable and efficient.

Solution

It is recommended that the software version of the Docker runc be updated to version 18.09.2 or above.

It is also recommended that internet access to the Docker Service be restricted to trusted clients or specific IP addresses by blocking access, to Port 2375/TCP, from incoming connections on the firewall.

Alternatively, the Docker Service can be placed behind a virtual private network (VPN).

Aleksa Sarai, one of the maintainers of runc and a senior software engineer with SUSE Linux GmbH published a patch designed to fix the issue in runc. The exploit code published by Aleksa Sarai is to be found at the following link:-

CVE-2019-5736 fix - Aleksa Sarai - www.openwell.com

Aleksa Sarai has also reported that the runc flaw also affects LXC, and Apache Mesos.

Additional Information

CVE-2019-5736
Shadowserver Accessible Docker Service Report
Unit 42 - CVE-2019-5736
StackRox - The runC Vulnerability - A Deep Dive on Protecting Yourself
Aleksa Sarai - Openwall - CVE-2019-5736: runc container breakout exploit code
Github - docker/docker-ce
Github - CVE-2019-5736-PoC
snyk - A serious security flaw in runc can result in root privilege escalation in Docker and Kubernetes
Kubernetes Blog - Runc and CVE-2019-5736
Red Hat Customer Portal - CVE-2019-5736
opensource.com - runC: The little container engine that could
AWS - Container Security Issue (CVE-2019-5736)
CVE-2019-5736: Escape from Docker and Kubernetes containers to root on host
CVE-2019-5736: runc container breakout (all versions)
Introduction to data science - Chapter 6 - Docker container platform
Microsoft - CVE-2019-5736 and runC vulnerability in AKS
Bank Info Security - Major Flaw in runc Poses Mass Container Takeover Risk
Docker Docs - Docker Overview
OCI - About the Open Container Initiative
Demystifying Containers - Part 1: Kernel Space