RunC container security flaw hits Kubernetes and Docker

A security bug affecting the RunC container runtime undergirding Kubernetes, Dockers, cri-O and containerd and has been discovered 

Security researchers have discovered a fresh container security flaw that allows malicious containers to run roughshod over the host RunC binary and execute root-level code on host machines.

Labelled CVE-2019-5736, the new flaw could conceivably allow attackers to embed a program within a container that could then escape and go on to infect a host system.

“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host RunC binary and thus gain root-level code execution on the host,” explained SUSE container senior software engineer Aleksa Sarai in a blog post.

RunC was created by Docker as an open-source command-line tool for hatching and running containers, it’s widely used in popular container platforms such as Docker and Kubernetes.

Scott McCarty, Red Hat technical project manager warned that the vulnerability could potentially compromise ‘hundreds-to-thousand of other containers running on it’.

“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies…and that’s exactly what this vulnerability represents,” he said.

Containers allow engineers to develop software that is computer environment agnostic. The container orchestrator Kubernetes’ popularity skyrocketed last year after it established itself as the lynchpin for facilitating multicloud deployments.

In December, the first major security flaw in popular cloud container orchestrator Kubernetes was discovered, that allowed attackers to infiltrate backend servers. Kubernetes quickly issued patched versions that resolved the flaw.

It is recommended that if you are using any containers or container dependent programs that you patch as soon as you can. AWS says there is a patch available for Amazon Linux, and will be soon for ECS, EKS and Fargate. Red Hat has written an article explaining how to patch the flaw.