Security researchers have discovered a critical flaw in runc, the default runtime for Docker and Kubernetes, allowing a malicious container to attack the host and all other containers running on it.
Aleksa Sarai — one of the maintainers for runc — made the announcement on Tuesday, attributing the discovery to researchers Adam Iwaniuk and Borys Poplawski. The runc runtime also supports containerd, Podman, CRI-O and countless other container offerings.
“The vulnerability allows a malicious container to (with minimal user interaction) overwrite the host runc binary and thus gain root-level code execution on the host,” said Sarai.
“The level of user interaction is being able to run any command (it doesn’t matter if the command is not attacker-controlled) as root within a container in either of these contexts: creating a new container using an attacker-controlled image; attaching (docker exec) into an existing container which the attacker had previous write access to.”
RedHat senior principal product manager for containers, Scott McCarty, described this as a “bad scenario” for IT managers and CXOs.
“Containers represent a move back toward shared systems where applications from many different users all run on the same Linux host. Exploiting this vulnerability means that malicious code could potentially break containment, impacting not just a single container, but the entire container host, ultimately compromising the hundreds-to-thousands of other containers running on it,” he added.
“A cascading set of exploits affecting a wide range of interconnected production systems qualifies as a difficult scenario for any IT organization and that’s exactly what this vulnerability represents.”
The same vulnerability also affects LXC and Apache Mesos containers, meaning virtually any organization running containers should get patching urgently.
“This isn’t the first major flaw in a container runtime to come to light and, as container deployments and interest in associated technologies increase, it’s unlikely to be the last,” said McCarty.
“Just as Spectre/Meltdown last year represented a shift in security research to processor architectures from software architectures, we should expect that low-level container runtimes like runc and container engines like docker will now experience additional scrutiny from researchers and potentially malicious actors as well.”