CVE-2019-5736
HIGHCVSS Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
4Tags
Description
runc through 1.0-rc6, as used in Docker before 18.09.2 and other products, allows attackers to overwrite the host runc binary (and consequently obtain host root access) by leveraging the ability to execute a command as root within one of these types of containers: (1) a new container with an attacker-controlled image, or (2) an existing container, to which the attacker previously had write access, that can be attached with docker exec. This occurs because of file-descriptor mishandling, related to /proc/self/exe.
Analysis
runc through version 1.0-rc6 (used in Docker before 18.09.2) contains a container escape vulnerability that allows attackers to overwrite the host runc binary. By exploiting a race condition during container exec, a malicious container process can gain root access to the host system, breaking the fundamental container isolation boundary.
Technical Context
During 'docker exec' or similar container exec operations, the host runc binary is exposed to the container's filesystem through /proc/self/exe. A malicious container process can exploit a TOCTOU race condition to overwrite the host runc binary with a trojanized version. The next time runc is invoked (for any container operation), the attacker's code executes with root privileges on the host.
Affected Products
['runc <= 1.0-rc6', 'Docker < 18.09.2', 'containerd (using vulnerable runc)', 'Kubernetes (using vulnerable runc)', 'LXC (using vulnerable runc)']
Remediation
Update runc to 1.0-rc7 or later, Docker to 18.09.2+. Patch container runtime on all hosts. Implement user namespace remapping to reduce container root privileges. Use read-only container images. Deploy runtime security monitoring (Falco, Sysdig) to detect container escape attempts.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today