Vendors Issue Patches for Linux Container Runtime Flaw Enabling Host Attacks
This week, the National Institute of Standards and Technology (NIST) described a high-risk security vulnerability (CVE-2019-5736) for organizations using containers that could lead to compromised host systems.
Containers run on top of host systems and are notable for being an operating system virtualization approach that's particularly useful to developers. They permit different application versions to run without conflicts, for instance. However, a vulnerability recently found in the runC runtime used by many Linux container solutions could expose hosts to attacks.
RunC is widely used in container solutions. It's used in Kubernetes, a container orchestration solution, as well as "other tools like Docker, Containerd and CRI-O," according to a Kubernetes blog post.
It's possible to exploit the flaw in runC described in CVE-2019-5736 and gain "root privileges on the host running the container." Once that's done, it gives an attacker "unlimited access to the server as well as any other containers on that server," the Kubernetes post explained.
The vulnerability was verified and a patch has been created, according to a security thread post by Alexi Sarai, one of the maintainers of runC. He credited two researchers for discovering the flaw and said that he had additionally discovered that "LXC was also vulnerable to a more convoluted version of this flaw." LXC is a Linux kernel "userspace interface," providing an API for creating and managing application containers, according to this document.
To carry out an exploit, an attacker could use a new container with an "attacker-controlled image" to exploit the runC vulnerability. Alternatively, they could use an existing container for the purpose if they have write access to it, Sarai explained.
As a solution, organizations can upgrade the runC package or they can upgrade their "OS image if using immutable images," the Kubernetes post explained.
Several software vendors have already described issuing updates to address the vulnerability. Google recommended in a security bulletin that Google Kubernetes Engine users should "upgrade to the latest patch version as soon as possible." Red Hat noted that several of its products were affected and described upgrades in a security notice. Amazon Web Services (AWS) issued a security bulletin describing updates for various AWS products.
Microsoft noted in an announcement that its Azure Kubernetes Service (AKS) was affected, and it recommended that AKS users should "upgrade your Kubernetes cluster." An AKS update is yet to come for "GPU-based nodes," it added. Microsoft is applying the update from the Open Container Initiative to its affected services to address the issue. This update is included in "a new version of the Moby container runtime" that Microsoft has built, the announcement explained.
In addition, users of the Azure IoT Edge service are subject to the vulnerability, according to another Microsoft announcement. Azure IoT Edge users should "upgrade the container runtime on your IoT Edge device," according to the announcement, which offered instructions. The announcement added that organizations should "update Docker Engine (18.09.2 or more recent) if you're testing or developing with Docker [engine] instead of the Microsoft-built Moby-engine."
Notably, Microsoft indicated that "Windows containers on Windows are not affected" by the CVE-2019-5736 vulnerability.
Commenting on the whole issue of using containers to attack the host, Jeff Woolsey, a principal program manager for Windows Server and hybrid cloud at Microsoft, said in a Twitter post that "this is why we created containers with Hyper-V isolation."
Harden the Host OS
This runC vulnerability marks a major concern for organizations using containers and virtualized environments, according to Mark Nunnikhoven, vice president of cloud research at Trend Micro.
"This vulnerability demonstrates that each container can be a risk to the host," Nunnikhoven said in a Trend Micro blog post. He noted that containers weren't really designed with security in mind and are more optimized to address developer concerns with application conflicts. Moreover, containers are different from virtual machines, he noted:
Here, the attack highlights the biggest security weakness of containers: they are loosely isolated sharing the same host operating system. This is in stark contrast to virtual machines which are isolated instances of a complete operating system.
Nunnikhoven emphasized the importance of assuring security at the level of the host operating system when using containers:
In the case of CVE-2019-5736, the container host's security is paramount. Hardening the host's operating system by reducing the number of available services -- it should only run the container runtime, host security controls, and host monitoring applications -- to the bare minimum is critical to security success.
Organizations should follow up, as well, and use "security controls like integrity monitoring, log inspection, and application control" to ensure that the host OS security remains hardened, he added.
Kurt Mackie is senior news producer for the 1105 Enterprise Computing Group.