Critical runc Container Escape Vulnerability Advisory (CVE-2019-5736)

Tencent Cloud Security Center recently discovered a container escape vulnerability in runc, a lightweight container runtime. This vulnerability allows attackers to overwrite the runc binary on the host system, enabling code execution with root privileges on the host. Once exploited, attackers can potentially attack other containers or the host machine itself.

[Vulnerability Details]

runc is a lightweight universal container runtime - a command-line tool that generates and runs containers according to the Open Container Initiative (OCI) specification. If exploited, this vulnerability allows a malicious container (with minimal user interaction) to overwrite the runc file on the host, thereby executing code with root privileges on the host and attacking other containers or the host system. The CVSSv3 base score is 7.2 (High severity).

[Risk Level]

High Risk

[Security Impact]

Container escape attack risk. Exploiting the vulnerable runc can grant attackers root access to the host, which can then be used to attack other containers or machines on the network.

[Affected Versions]

In addition to runc, Apache Mesos and LXC are also affected by this vulnerability.

[Remediation Recommendations]

If you are using Tencent Cloud Container Service (TKE), you can fix this vulnerability through the following methods. Please conduct security self-checks promptly and apply updates if affected to prevent external attacks.

[References]

1. Vulnerability Details: https://www.openwall.com/lists/oss-security/2019/02/11/2

2. Fix Reference: https://github.com/opencontainers/runc/commit/0a8e4117e7f715d5fbeef3984058f13ce8e88558b

3. LXC Fix: https://github.com/lxc/lxc/commit/64a0e238d08cdf1ca20d49bafb85f4e224348bf9d