RunC vulnerability affecting Kubernetes, Docker and containerd
  • Transfer
The Linux community is now busy fixing a newly discovered vulnerability that relates to the means to run runC containers used by Docker, CRI-O, containerd and Kubernetes.


The vulnerability, which received the identification number CVE-2019-5736 , allows the infected container to overwrite the runC executable file on the host and get root access to it. This allows such a container to gain control of the host and gives the attacker the ability to execute any commands.

Alex Sarai, runC support engineer from SUSE, posted a message on the Openwall stating that this vulnerability is very likely to affect most of the tools for working with containers. In addition, he notes that the vulnerability can be blocked due to the correct implementation of user namespaces, where the root user of the host is not mapped into the user namespace of the container.

Some companies found this vulnerability important, assigning it a corresponding rating . Sarai says that, in accordance with the CVSSv3 specification, she was given a rating of 7.2 out of 10.

A patch has already been developed to address this vulnerability, which is available to everyone who uses runC. Many software developers andproviders of cloud-based services have taken steps to installing this patch.

It should be noted that the runC tool appeared due to the efforts of the Docker company. It is an OCI-compatible command line interface for running containers.

About modern software and hardware vulnerabilities

Although the vulnerability in question does not relate exclusively to the Kubernetes ecosystem, it can be said to continue the tradition of critical vulnerabilities, discovered earlier this year in this platform for container orchestration. That vulnerability affected all systems using Kubernetes, it gives attackers full administrative privileges on any computing node running in the Kubernetes cluster.

To fix this vulnerability, a patch was quickly developed, but most experts then noted that they were awaiting detection of other Kubernetes vulnerabilities.

Rani Osnat, vice president of marketing at Aqua Security, says software vulnerabilities will always exist. The fact that a certain vulnerability was discovered is quite expected. He believes that other vulnerabilities will be found, as they are what can be expected from any software.

The cloudwork security company Lacework discovered last year more than 21,000 open container orchestration systems and APIs on the Internet that could be targeted by intruders. Among these systems were clusters Kubernetes, Docker Swarm, Mesos Marathon, Red Hat OpenShift and others.

In addition, Linux kernel developers do not get bored and hardware vulnerabilitiessuch as Spectrum, Meltdown and Foreshadow. Linux Foundation member Greg Kroa-Hartman, speaking last year at the Open Source Summit event in Vancouver, said there would be other similar vulnerabilities in the future.

Dear readers! Have you already protected your systems from runC vulnerability?

Also popular now: