Researchers Find ‘Doomsday’ Bug In Docker, Most Other Container Systems

Researchers have uncovered a serious bug in Docker and other popular operating system-level virtualisation tools that could allow a malicious container to take over a host system.

Aleksa Sarai, one of the maintainers of runc, the default container runtime built into Docker, cri-o, containerd, Kubernetes and other tools, said the takeover issue is not unique to runc and that “it is quite likely that most container runtimes are vulnerable to this flaw, unless they took very strange mitigations beforehand”.

Sarai said the Linux-oriented LXC container tool is vulnerable to a more convoluted version of the bug and that Apache Mesos is also affected.

He said the issue, discovered by researchers Adam Iwaniuk and Borys Poplawski, can be exploited with “minimal” user interaction.

‘Doomsday scenario’

“The level of user interaction is being able to run any command… as root within a container in either of these contexts: creating a new container using an attacker-controlled image… (or) attaching (docker exec) into an existing container which the attacker had previous write access to,” Sarai wrote in an advisory.

Containers have become a popular way of dividing up computing resources and one of their features is that, in theory, each container should function as a distinct system with limited access to other containers or to the host system.

That makes any potential access by a malicious container to a host or to other containers particularly serious.

“Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” wrote Red Hat technical product manager for containers Scott McCarty.

“While there are very few incidents that could qualify as a doomsday scenario for enterprise IT, a cascading set of exploits affecting a wide range of interconnected production systems qualifies… and that’s exactly what this vulnerability represents.”

Exploit code

Sarai said the bug, tracked as CVE-2019-5736, is not blocked by the default AppArmor policy or by the default SELinux policy on Fedora, but is blocked in cases where user namespaces are used correctly.

Amazon Web Services has said that a patch is available for Amazon Linux, but that it is still creating patches for Amazon Elastic Container Service (Amazon ECS), Amazon Elastic Container Service for Kubernetes (Amazon EKS), and AWS Fargate.

Sarai released a patch for runc and said exploit code is available for vendors to use in testing their systems. He said the exploit code would be released publicly on 18 February.

“If you have a container runtime, please verify that you are not vulnerable to this issue beforehand,” he wrote.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago