Date: 2 weeks ago   Category: Hi-Tech

The vulnerability in runc and LXC mentioning Docker and other systems of container isolation


In runc, tools for start of the isolated containers, critical vulnerability (CVE-2019-5736) allowing from the isolated container prepared by the malefactor is revealed to change the executable file of runc and to receive root-privileges on the party a host system. Vulnerability mentions all systems of container isolation using runtime runc including Docker, cri-o, containerd, Kubernetes, Podman and flatpak. Also it is noted that similar vulnerability is present at the LXC and Apache Mesos tools.

the Essence of vulnerability in a possibility of start of the executable file of runc in a container, but its executions in a context a host system. For example, attacking can replace / bin/bash in a container with a script, defiant / proc/self/exe which refers to the executable file of runc. During the performing of "docker exec" and start of runtime-ohms changed / bin/bash will be executed the file to which proc/self/exe, namely runc on the party of a host refers/. After that attacking can make through modification/proc/self/exe change to the executable file of runc on the party a host system.

For carrying out the attack is required performance by the user with the rights of root of operation of creation of a new container on the basis of prepared attacking an image or connection to the existing container (performance of "docker exec" suffices), to which earlier attacking had access to record. The problem is not blocked by a profile by default AppArmor and rules of SELinux in Fedora (processes of a container are started in the context of container_runtime_t). At the same time the problem is not shown at correct by use of namespaces of user IDs (user namespaces) or when using the "enforcing" SELinux mode in RHEL.

Vulnerability is already eliminated in RHEL, Fedora, Ubuntu and SUSE, but remains uncorrected in Debian. The patches solving a problem are prepared for runc and LXC. The working prototype of an exploit is planned to be published on February 18. On materials: www.opennet.ru

URL:




Today

just now

Shamil Zavurov lost final fight. passed a tournament on mixed martial arts of Road Fighting Championship In Seoul. In the final of light-weights met the Russian, the cousin of the champion of UFC...

just now

At the weekend in England the red derby of irreconcilable rivals will take place - Manchester United will accept Liverpool. For both teams a game has great tournament value therefore fans will see the...

just now

For the main trophy of the Cup of football league Chelsea and Manchester City will battle. Bookmakers gave the forecast for this match, having estimated chances of each of teams of a victory. Mauriz...

just now

The Ukrainian singer and the leader Olya Tsibulskaya often participates in juicy discussions and itself shares stories from the private life in Instagram. This time it became the guest of the Karaoke...

just now

The young man from the occupied parts of the Luhansk and Donetsk regions are actively trained for fighting of In network there was video of "A meeting of young patriots" which took place in the Perm...

just now

On February 23 the message came to Service of rescue "101" that on the thrown farm near an elevator in the settlement of Partizansk of the Dnieper district the man was pressed down by a reinforced con...

just now

The Network discusses extraordinary external similarity of two boys again. Anastasia Stotskaya is a singer of whom was a producer in due time and was favored, if I may say so, by the pop king Philip...

just now

Devotion is a horror about the Taiwan life of the 80th from the Taiwan studio Red Candle Games. A game started extremely successfully, collected the mass of positive reviews and even escaped in top-25...