Date: 2 months ago   Category: Hi-Tech

The vulnerability in runc and LXC mentioning Docker and other systems of container isolation


In runc, tools for start of the isolated containers, critical vulnerability (CVE-2019-5736) allowing from the isolated container prepared by the malefactor is revealed to change the executable file of runc and to receive root-privileges on the party a host system. Vulnerability mentions all systems of container isolation using runtime runc including Docker, cri-o, containerd, Kubernetes, Podman and flatpak. Also it is noted that similar vulnerability is present at the LXC and Apache Mesos tools.

the Essence of vulnerability in a possibility of start of the executable file of runc in a container, but its executions in a context a host system. For example, attacking can replace / bin/bash in a container with a script, defiant / proc/self/exe which refers to the executable file of runc. During the performing of "docker exec" and start of runtime-ohms changed / bin/bash will be executed the file to which proc/self/exe, namely runc on the party of a host refers/. After that attacking can make through modification/proc/self/exe change to the executable file of runc on the party a host system.

For carrying out the attack is required performance by the user with the rights of root of operation of creation of a new container on the basis of prepared attacking an image or connection to the existing container (performance of "docker exec" suffices), to which earlier attacking had access to record. The problem is not blocked by a profile by default AppArmor and rules of SELinux in Fedora (processes of a container are started in the context of container_runtime_t). At the same time the problem is not shown at correct by use of namespaces of user IDs (user namespaces) or when using the "enforcing" SELinux mode in RHEL.

Vulnerability is already eliminated in RHEL, Fedora, Ubuntu and SUSE, but remains uncorrected in Debian. The patches solving a problem are prepared for runc and LXC. The working prototype of an exploit is planned to be published on February 18. On materials: www.opennet.ru

URL:




Today

just now

The informant Dengi studied what punishment is necessary for illegal deforestation now. It appeared - for several cut-down trees it is possible to go really to prison, and the court can apply special...

just now

The People's Deputy from Vozrozhdeniye party Valery Pisarenko announced the beginning of petition for resignation of the speaker of the Verkhovna Rada Andriy Parubiy. About this Pisarenko wrote on the...

just now

We live in an information age and technologies. Thirst of knowledge forces us to form inquiries in search engine, social networks and all day the smartphone in a hand - an integral part of life. the...

just now

The urologist Darya Chernysheva told about normal rate of visit of the bathroom for urination. So writes Newsmir.info, referring to Interfax Ukraine. according to the expert, on average during a day...

just now

This week in Spain the draw of the largest European jackpot - €68 million will take place. An opportunity to break huge prize fund will be presented thanks to the oldest local lottery of La Primitiva...

just now

In Russia the court for the first time fined the person under the article about "obvious disrespect for the power" which came into force on March 29, 2019. About that was reported by the head of the...

just now

Ukraine has to show the basic relation to dictatorship and human rights violations and also to recognize that the leadership of Belarus indulges Russia and profits in the war. Such opinion in the comm...

just now

Wolfsburg officially approved Oliver Glasner as the head coach of team. the Expert who works in Austrian to CARESS now will head club before a season of Present steering Bruno Labbadia's teams lea...